Académique Documents
Professionnel Documents
Culture Documents
User Manual
Super User Privilege Management
GRC MCS
GE Energy
g is a registered trademark of the General Electric Company in the United States and other countries.
© 2011General Electric Company. All rights reserved.
Contents
1 Purpose................................................................................................................................................2
2 Prerequisites........................................................................................................................................2
3 Configuration in SUPERUSER PRIVILEGE MANAGEMENT (SPM)..........................................................5
3.1 Firefighter Administrator.............................................................................................................6
3.1.1 ‘Owners’ Tab........................................................................................................................9
3.2 Firefighter Owner.......................................................................................................................12
3.2.1 ‘Firefighters’ Tab.................................................................................................................14
3.2.2 ‘Controllers’ Tab.................................................................................................................15
4 Firefighter Controller.........................................................................................................................17
5 Firefighters.........................................................................................................................................17
1 Purpose
This document discusses about Super User Privilege Management (Fire Fighter)
2 Prerequisites
One should have the authorization to Virsa Firefighting Tool (T-Code /VIRSA/VFAT). SAP
IDs also needs to be created with appropriate role assignments:
Owners (Business & SAP Support /VIRSA/Z_VFAT_ID_OWNER Personnel who are decision
Personnel) ZSPM_OWNER makers of situations
requiring the use of
Firefighter IDs for problem
resolution.
[N.B.: ‘Controllers’ have no such dedicated Role. Owners & Controllers may be the
same.]
Super User Privilege Management or Firefighter (SPM) enables users to perform duties not
included in the roles or profiles assigned to their User IDs. This application allows personnel to
take responsibility for tasks outside their normal job function. Firefighting describes the ability to
perform tasks in emergency situations. SUP temporarily redefines the IDs of users when
assigned with solving a problem, giving them provisionally broad, but regulated access. There is
complete visibility and transparency to everything done during the period. It provides a solution
for systematic handling of emergency situations and at the same time managing the risk for the
special access necessary to resolve the issue.
If there’s any new Firefighter Owner to be introduced, Firefighter Administrator has to assign
the Owner to FF ID. Administrator (ZSPM_ADMIN) logs into SAP Backend and executes the
We need to configure SPM in each backend. As the frist step create SPM Administrator user with the
role: /VIRSA/Z_VFAT_ADMINISTRATOR. Here our SPM admistrator user is ZSPM_ADMIN.
After you login with this Id you get the below screen:
Here,
Owner Additional Auth. Setting: Ensures that owners can only manage Firefighter IDs they own.
Controler Additional Auth. Setting: Ensures that controllers can only access log reports of Firefighter IDs they were
assigned to.
Click on Owners.
Now assign to each Firefighter ID one or Multiple owners. Here, in our case to the we’ve created the
firefight id as ZSUPERUSER and assigned it to the Firefight id Owner named ZSPM_OWNER.
Then create reason codes which Firefighters will have to select from upon
activation of Firefighter IDs that were granted to them.
Firefighter Owner is the person who assigns the Firefighter ID to Firefighters (SAP users) & also
assigns Controllers. Owner (ZSPM_OWNER) logs in & maintains Tab & assigns
Click on Firefighters
Assign Firefighter IDs to Firefighters (These are the end users with access to SPN)
The Controllers tab designates Firefighter users receiving email notification of Firefighter ID
login events. A Controller can be responsible for more than one Firefighter ID. A Firefighter ID
can be assigned to multiple Controllers.
Click on Controllers
Then assign Firefighter IDs to Controllers. This allows Owners to delegate the
Note:
Choose Work Flow to send log notification and log reports to an appropriate Controller’s
SAP email inbox.
Choose Log display if the Controller will view Firefighter ID login events from the
Firefighter Cockpit. Choosing Log display means the Controller will manually generate
a Log report and view the report within the Firefighter program.
Choose Email if the Controller will receive email notifications each time a login event
occurs with a Firefighter ID.
4 Firefighter Controller
A Firefighter Controller is the person who will be constantly monitoring the activities of the
firefighters (SAP Users). Once a firefighter logs in the assigned Firefighter ID, the Controller will
receive the notification for the same. He can view/download the log report through SAP
Backend by executing the following T-Code.
T- Code: - /n/VIRSA/VFAT_01
GE Proprietary Information For Internal Use Only 4/4/2019
Page 16 of 28
GE GRC Implementation User Manual
Controller can execute the report by either of the Input parameters or by combination of the
same
5 Firefighters
Firefighters are basically the SAP Users who’ll be using the Firefighter IDs assigned to them to
perform tasks in emergency situations. For using the Firefighter ID, the Firefighter (SAP User)
has to log into SAP Backend through his/her normal SAP ID.
Logon as Firefighter(ZENDUSER) .
Click on Logon button. See the status is in Green color i.e login allowed and no one has logged to
FireFighter id: ZSUPERUSER.
Firefighter (ZENDUSER) will log in to SAP Backend & will have to execute the T-Code
/n/VIRSA/VFAT. The following screen will appear where he can view the Firefighter ID assigned
to him & whether the Firefighter ID is available for his use:
There after, the Firefighter will have to click on the button, to access the Firefighter ID and the following
screen will pop-up, where, the firefighter has to select the appropriate reason code, the reason for using the access &
actions anticipating to perform as shown below:
Click on ok
User can execute the Required Transactions and all the actions will logged.
See the Status is in Red Color. At this stage the SPM does not allow any other users to login to the
FireFighter Id: ZSUPERUSER.
[N.B.: The Firefighter ID is available if the Status is green. Once the firefighter logs into the
Firefighter ID, the status will become red which indicates that the Firefighter ID is in use. At a
time, a single Firefighter ID can be used by a single firefighter only]
Now since the firefighting userid ZSUPERUSER is being already used by the fire fighter ZENDUSER , we
see the status in red .And if we try to logon now with other Firefighter ID’s then the below screen will
appear:
A Background job by the name /VIRSA/ZVFATBAK scheduled periodically (hourly) to prepare reports
from transaction usage logs.
And these reports can be viewed by the controllers in back-end systems and SPM users in java front-end
reports.
After you made your selection the log report appears. It should list all relevant details as displayed below:
Firefighter, Firefighter ID, logon time stamp, transaction or report name and details of change documents,
if created by SAP system.
6. SPM FRONTEND
Login to the GRC frontend and with ff_admin and click on Superuser Privilege Management. You
get the below screen. This is the SPM frontend screen.