What is the SAP GRC Firefighter Controller?

Who is a Controller in SAP GRC Access Controls? A Controller is responsible for monitoring and assessing the appropriateness of activity performed by a user using an individual Firefighter ID. The Controller is responsible for auditing the usage of the FFID’s by reviewing and signing off on the Firefighter Log Report, thereby ensuring only expected and appropriate actions occurred during the firefighting session and addresses or raises concerns of misuse to the appropriate parties.

There are certain questions in a Controllers Log Review Checklist. Here are a few of them:

• Is there an incident number?
• Has the firefighter documented adequate information upon checkout?
• Has the appropriate FF ID been checked out?
• Do the actions performed by the FF match the intended actions?
• Were fraudulent or unauthorized actions performed with the elevated access?
• Is the firefighter only used in an emergency situation?

In case there is an audit after six months and auditors want to know if a controller performed their check or not, we can get the report where controllers approved the controller log review after the firefighter activity.

NWBC=>Access Management=>ARA=>Search Requests? Select “Process ID=Firefighter Log Report Review Workflow” and the period of interest.  This report should show you all requests and the status for each. From there you can drill into any of them to see status, export the list, etc.

Let’s take a look at the steps to set up firefighter sessions and the entire process of the firefighter activity along with the Controller Log Review Report Approval.

Step 1: Assign the firefighter ID: FIREFIGHTER to the firefighter user id = rurs

Step 2: Double check the firefighter ID is assigned to a controller. In this case it is RRURS.

Step 3: Assign Firefighter ID: FIREFIGHTER to the Owner ID: RRURS

Step 3.5: Check if parameter 1113 is set up and WF-BATCH has an email id set up.

Step 4: Log in to the target system and start your firefighter session.

Access the target system and enter the transaction code: /GRCPI/GRIA_EAM

Click on Logon and enter the information below:

After the firefighter activity has been completed, click “log off”.

Check to see the notification settings for your controller. This will determine the method of receiving the log report.

You have three options here:

• Workflow – which will send a work item in your mail without any email notification
• Email – which will send you an email notification with a link to the SPM log
• Log Display

Based on the above settings, the controller will receive the work item in the work inbox as shown below.

As seen below a work item is sent to the controller.

 

You can enter Notes in this section if any. For example, if there was an incident raised for opening this Firefighter ticket, here is an option to enter the Solman ticket #.

You can also upload attachments if needed. For example, a Risk and Control Matrix with the Firefighter Control testing related information.

This section will be mandatory if the stage settings are set as required (shown below).

Notice that the process ID used is also shown below:

Notice that the Comments section is set as Mandatory.

The Notes section is where the controller needs to enter the notes before approving the Firefighter Log.

You can also upload an attachment if needed.

Adjust the layout to have the “Activity Description” Field right next to the “Transaction” Field.

The controller can now compare what Tcodes the firefighter said he was going to execute and what he actually executed.

Notice the user entered SPRO but he did not mention that he would execute that Tcode as stated in the activity description. Now, the controller can send it back to the firefighter to update the info and send it back.

Check the status of the Log Review data in this report. It should say “Running” as it has not yet been approved.

(1) Hold – If multiple controllers have received workitem and any one of the controllers wants to keep the workitem with him, then he can keep it on hold. In the meantime he can check more details. When the workitem is on hold for other controllers this will be visible in non-editable mode and the controller who has kept on hold will have “Release” option in “Other actions”. When the controller is ready, he can release the workitem for other controllers and then the workitem will be visible in Edit mode to all controllers.

(2) Additional Information – If the controller wants more information from firefighter then he can forward the workitem to firefighter using this action. The firefighter will provide details in Note tab and then return it back to the Controller. Then the controller can further process the workitem.

(3) Forward- If the controller wants to forward the workitem to any of the users or to any other controller in EAM then this option could be used. To use the option tick the checkbox “Forward” in Stage level task setting.

That is a good overview of SAP GRC Access Controls. In part two of this blog, we’ll examine the ‘Additional Information’ feature and the log submission process.