Every company running SAP must be able to respond quickly and in a compliant manner to exceptions and emergency situations in daily business operations. Through extended authorizations provided via SAP Firefighter processes (the SAP emergency user concept in EAM – Emergency Access Management), selected users can perform activities beyond their normal responsibilities. These extended rights must be assigned immediately and only for a limited time, with complete, audit-ready logging at all times. Organizations must also ensure that no significant risks arise from granting temporary high-privilege access.
This blog post explains why companies need an SAP Firefighter concept and the challenges involved. It then describes how the Xiting Authorizations Management Suite (XAMS) helps you provide extended authorizations efficiently and in a fully audit-compliant way.
Definition and Scope
An SAP Firefighter user is a specially configured SAP emergency user who receives temporarily extended permissions as part of SAP EAM (Emergency Access Management). These permissions exceed the standard SAP role and authorization concept and are used exclusively for clearly defined exceptions or emergency scenarios.
The SAP Firefighter concept defines the organizational and technical framework for managing such emergency access securely. It includes request handling, approval, time restrictions, logging, and post-session review of activities performed. The goal of an SAP Firefighter concept is to provide short-term privileged access while ensuring compliance requirements, internal controls, and legal regulations are met.
Unlike permanently privileged users such as administrators or key users, Firefighter access is always time-limited and scenario-based. Every Firefighter session must be logged and reviewed, reducing risks related to segregation-of-duties (SoD) conflicts.
Cyberattacks on corporate data have risen dramatically in recent years, increasing the risk of severe financial damage. In addition, companies must comply with legal requirements and industry regulations. A solid SAP Firefighter concept is essential for organizations that want to avoid operational disruptions and minimize risks within SAP security.
Internal control requirements and SoD conflicts also make it necessary to manage sensitive or extensive authorizations through an SAP emergency user concept. The objective is to provide selected users with temporary extended access for essential and time-critical tasks.
Common scenarios include:
To prevent misuse, companies must follow strict compliance guidelines when using SAP Firefighter users. Extended authorizations must only be granted temporarily and in a controlled manner. Complete, audit-ready logging is mandatory. Logs must be reviewed regularly by independent persons such as security officers or internal auditors. Shared accounts should be avoided to maintain accountability.
Required Firefighter authorizations depend on the scenario. For critical tasks, extensive permissions may be necessary, for example based on SAP_ALL (with legally critical rights excluded). For substitution scenarios, assigning the key user’s regular roles may be sufficient.
Implementation with the XAMS
With the XAMS, companies can prevent misuse of extended rights through a smart, scalable, and maintainable concept. Such an approach can be defined and fully implemented within days. The XAMS uses temporary reference user assignments, a method also applied in Productive Test Simulation (PTS) and Protected Go-Live (PGL) scenarios.
The user keeps their standard authorizations, while the reference user provides additional Firefighter rights. All activities are recorded under the user’s own ID, ensuring full transparency. Personal settings such as favorites and printers remain active during Firefighter sessions.
With XAMS, you define which users may access extended permissions. You can set individual maximum session durations for each Firefighter user. Multiple workflow options and logging configurations allow you to adapt the concept to your organization.
You can add an additional security layer by enabling a pre-approval process. In that case, a designated approver must authorize the session before it begins. Substitute approvers can be configured, but self-approval is always excluded.
If you choose not to use pre-approval, authorized users receive Firefighter permissions automatically after submitting their self-service request. This is ideal for time-critical scenarios. A post-session review ensures that the Firefighter was used only for the intended purpose.
You can choose which change logs to activate for each Firefighter. Configurable logs can be grouped by function and activated for entire groups (see Figure 2).
In addition to SAP standard logging programs, custom programs can be defined to capture specific activity types during Firefighter sessions. When a session ends, all logs are gathered and combined into a single audit report.
Examples
The examples below illustrate how the SAP Firefighter concept works in XAMS for an administrator, an authorized end user, and a reviewer. This scenario uses a post-session review without pre-approval.
The administrator creates the reference user E_BC_SUPPORT with a maximum usage duration of four hours per session. The approver X_APPROVER is assigned.
No pre-approval is required, but post-session review is activated.
The administrator then assigns which users can request this Firefighter. User X_FI is authorized to request E_BC_SUPPORT. Administrators may configure distribution lists to notify responsible parties when sessions are requested, completed, or ready for review.
Adjustments can be made at any time.
The administrator also configures which logs are active to ensure compliant documentation of all relevant activities.
Authorized user X_FI requests an EAM session via self-service. The user provides a justification and desired duration, up to the maximum allowed time frame.
Since no pre-approval is required, the session starts immediately. In this example, X_FI performs a critical financial transaction required due to an unexpected accounting error.
XAMS can enforce automatic logoff at session end or after the defined maximum duration. This ensures that extended rights are never active longer than necessary. Multiple users can use the same Firefighter at the same time, since all actions are logged under their own user IDs.
After the session ends, all configured logging programs run automatically. Their results are stored in spool requests and transferred to a dedicated table for long-term retention.
Regular review of change logs is essential for a well-documented SAP Firefighter concept. Reviewer X_APPROVER receives a notification when the session ends and the logs are available.
Example review:
The reviewer verifies that E_BC_SUPPORT was used by X_FI for a critical financial transaction. All actions comply with policies.
Alternative situation:
The reviewer discovers that X_FI executed additional unauthorized activities not included in the original justification. The reviewer initiates further investigation and requests clarification.
Conclusion
The SAP Firefighter concept is essential for organizations that run SAP and need to react quickly and securely to exceptions without violating compliance requirements. The Xiting Authorizations Management Suite (XAMS) provides a robust solution for managing Firefighter permissions in a controlled, transparent, and audit-ready way.
Key advantages of XAMS for your Firefighter concept:
Integrating an SAP Firefighter concept with XAMS increases security and helps maintain business operations during critical situations.
Contact us for a personalized consultation, training, or implementation guidance tailored to your organization.
A Firefighter user is a temporary SAP emergency user with extended authorizations used in exception or emergency scenarios. All actions are logged to support compliance and audit requirements.
It defines the controlled and time-limited assignment of critical authorizations for support, troubleshooting, or emergency scenarios.
Regular users have fixed roles for daily tasks. Firefighter users receive temporary extended rights that are always traceable and audit-ready.
Â
Without a structured concept:
• Critical actions may remain unlogged
• Extended rights may become permanent
• Audit and SoD requirements may be violated
• Misuse becomes harder to detect
• Temporary reference user assignments
• No shared accounts
• Automated logging and reporting
• Approval workflows
• Audit-ready reports
• Time-limited sessions
• Automatic logoff
• No shared accounts
• Defined approval processes
• Consistent logging
• Avoid legally critical permissions
You are currently viewing a placeholder content from Vimeo. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from YouTube. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Facebook. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from hCaptcha to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from Turnstile to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Hubspot Meetings. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Instagram. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from X. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information