SAP Access Control (GRC) Firefighter ID Review
In my earlier blog about Firefighter lifecycles (https://blogs.sap.com/2014/03/03/firefighter-id-lifecycle/), I mentioned the requirement to review Firefighter IDs on a regular basis. Over the last couple of years, this requirement has become an audit finding in most organizations. Firefighter ID management is still a challenge for most organizations as adequate tools are missing. To date, there was no functionality available to review Firefighter assignments which resulted in incorrect assignments, the need to clean up outdated and wrong assignments, as well as unmanaged risks with Firefighter assignments. As most organizations assign Firefighter for an extended period, which is typically 365 days, the need for a periodic review is immediate. Therefore, SAP Customer Connect has requested a new functionality to automate the review process of Firefighter IDs, similarly to the User Access Review (UAR).
With Support Package 16, the functionality is finally available. In this blog, I would like to demonstrate how to set up the Firefighter ID review workflow and what you can expect.
- Support Package 16 (refer to note 2413723)
- Activate BC sets for new MSMP workflow configuration. Go to transaction SCPR20 and search for BC set: GRC_MSMP_CONFIGURATION. Please note that activating the BC set will overwrite standard MSMP configuration and hence must be performed very carefully. Best-practice always recommends to use customer namespace for any customization. In this case, even though you have customized your stages and paths in the customer namespace, please make sure to note down the Process Initiators as the global setting will get overwritten. Once activated, you have to manually set the custom initiators for all your process IDs.
- Perform manual activity from note 2491708
- Make sure user WF-BATCH has authorization for object GRAC_FFOWN to read the Firefighter owners.
- Implement correction note 2501454
In case you are patching your system or implementing the notes, make sure that you perform the workflow customizing.
Perform task-specific customizing via transaction OOCU and create and activate the event linkage for the new workflow. You can find the entry in GRC > GRC-AC and click on “Activate event linking”.
Also, make sure that the workflow template that is being used is activated. Go to transaction PFTC and choose Workflow template 76300107. Open the workflow template and navigate to the Workflow builder. Click on the activate button.
Configuration and How to Start the Workflow
Step 1 – MSMP Configuration
Once the BC sets have been activated, a new process ID named SAP_GRAC_FFID_REVIEW is available in the MSMP configuration. The customization of the workflow follows the standard behavior of other MSMP workflows. Please have a look at the following document from Colleen Hebbert if you do not understand how to customize MSMP workflows: https://blogs.sap.com/2014/03/17/msmp-multi-step-multi-process-grc-s-answer-to-workflow-configuration-flexibility/
Step 2 – Background Scheduler
From the NWBC, go to Access Management > Scheduling > Background Scheduler and create a new schedule for the “Generates data for access request Firefighter ID review”.
In the selection screen, you can narrow down your review or just simply run for all objects.
Tip: To quickly generate workflow items without using the Background Scheduler, you can run report GRAC_FFID_REVIEW_GEN from SE38.
Step 3 – Check and process the Workflow item
To check the generated workflow items, we can use the Search Request application as an administrator. The Firefighter Owner will receive the access request in his work inbox. Please note that for the Search Request application the new process ID must be selected:
Processing the workflow is very similar to the User Access Review (UAR). A Firefighter Owner has two choices: approving the assignment or removing it. Each line item must be processed and the necessary action set. The “Action” column will change accordingly. Once reviewed, the workflow can be submitted and will follow the workflow path. After all, approvals are given, the system will automatically provision the required changes, e.g., remove Firefighter assignments.
In case you run into issues, you can activate the MSMP debug log for the newly created process ID in transaction GRFNMW_DEBUG.
You can then check the debug log from transaction GRFNMW_DBGMONITOR_WD.
I hope this blog helps to quickly implement this new function and make it available to your business users.
- SAP Security Hardening – Implement Security by Design and Zero Trust - 12. July 2022
- SAP Security Orchestration with Xiting’s Security Solutions - 21. October 2021
- CMMC Compliance in SAP - 24. August 2021