The Importance of Firefighter Log Analysis for SAP GRC Firefighter Controller
This is the third in a three part blog series reviewing the SAP GRC Firefighter Controller log in SAP Access Controls. In part one, we walked through the set up process for firefighter sessions and the entire process of the fire fighter activity along with the Controller Log Review Report Approval. In part two, we looked at the ‘Additional Information’ feature and the log submission process. In this blog, we will review the firefighter log analysis process.
Firefighter Log Analysis
When the firefighter completes the firefighter activity and logs off, there are certain jobs that need to be executed in order to push data from the target system to the GRC system.
The jobs required are:
- Transaction Log-Captures transaction execution from transaction STAD
- Change Log: Captures change log from change document objects (tables CDPOS and CDHDR)
- System Log: Captures Debug & Replace information from transaction SM21.
- Security Audit Log: Captures Security Audit Log from transaction SM20
- OS Command Log: Captures changes to OS commands from transaction SM49.
Read here to understand how data is pushed to GRC.
The following tables are updated when you execute the EAM jobs:
Issues during the synchronization:
Time Zone Issue: You have to make sure that the GRC box and the plugin system do have the same time zone. See also note 1595462.
4010 Role Issue: Delete the custom role, copy the standard role: SAP_GRAC_SPM_FFID to a Z role Z_SAP_GRAC_SPM_FFID and then run the above jobs and test again.
Invalid Log Report: Refer 1967403 – EAM: Resolving the “Invalid Log Report” error in Firefighter Log Review reports.
Parameter 4007: Send Log Report Execution Notification Immediately
The workitems and email for log notification is sent for each session separately, so that details like reason code, additional activity and activity are displayed separately. This can be really annoying to a controller. You can set parameter 4007 to “No” and schedule ‘program ‘GRAC_SPM_WORKFLOW_SYNC’ for each connector. The controller will receive the notification once per day and then he can review them. IMPORTANT NOTE: Parameter 4007 is only to send the workitems at one go, but they will go for each session. From the audit perspective it is necessary as it will help auditors to review each session separately and then review the logs separately.
Emergency Access User Management Reports
Consolidated Log Report
Invalid Superuser Report
The Invalid Superuser Log is launched by Superuser Management Reports area. This Log is used to analyze the users who are expired, locked or deleted.
Notes to Implement:
Restricting SPM Controllers from approving their own firefighter activity log workflow requests:
The first note 2092273 has to be applied to the GRC system.
The second note 1545511 needs to be applied to ECC system or the system where firefighter user id’s are present.
Firefighter User Exit
2013288 – Firefighter log review Workflows is not getting generated sometime
2113776 – Blank Firefighter Log Review workflow
Also check master Note
1967403 – EAM: Key note for Firefighter Log and Review Workflow issues
2053139 – Firefighter and Controller are not able to process workflow successfully
2013909 – FF Log Review Workflow is going into error status.
If the Controller still doesn’t get a notification try the following:
- Issues related to EAM Consolidated log is missing or workflow request not created, refer to the following: Apply SAP Note 1775432 if time zone is different in plugin system. If the GRC system has plugin components installed, then both the SAP system time zone (STZAC) and Operating System time zone must be the same. Check ST22 for any dumps in GRC and plugin systems. Apply SAP Note 1855037 to get extra debug logs. Refer SAP Note 2142860 for troubleshooting the FF Log issueIn the NWBC of GRC, in Firefighter Controller assignment, choose Notification by “Workflow”, not Email.
- In MSMP (tcode GRFNMW_CONFIGURE_WD), make sure you select process ID SAP_GRAC_FIREFIGHT_LOG_REPORT in Change mode, then advance to step seven to Save and Activated the workflow.
- Make sure you are running background job GRAC_SPM_LOG_SYNC_UPDATE periodically (I set it for every 10 min) because this job collects the Firefighter log info AND sends out the workflow item, which triggers the email notification.
- If performed all of the above and you still do not get an email notification, make sure the stage notification settings in MSMP are set correctly: the Recipient “GRAC_CURRENT_APPROVERS” should receive Template ID “GRAC_LOGRPT_WORK_ITEM” on notification event “NEW_WORK_ITEM”. Save and Activate in Step seven after this is configured.
Issues related to EAM Consolidated log is missing or workflow request not created, refer to the following:
- Apply SAP Note 1775432 if time zone is different in plugin system. If the GRC system has plugin components installed, then both the SAP system time zone (STZAC) and Operating System time zone must be the same.
- Check ST22 for any dumps in GRC and plugin systems. Apply SAP Note 1855037 to get extra debug logs.
- Refer SAP Note 2142860 for troubleshooting the FF Log issue
Missing Controller logs?
Parameter 4020: When you don’t perform any firefighter activity after hitting the login button on the FF launch pad and the controller receives an email automatically after the firefighter logs in, the controller will get an email that the firefighter did not perform any activity.
That wraps up this overview of the GRC Firefighter Controller features. If you missed part one of this blog, we covered who is a controller in the GRC Firefighter Access Controls. Part two covered the ‘Additional Features’ section of the GRC Access Controls.