This document discusses the setup and use of a Firefighter concept in SAP for providing emergency access to critical transactions. It describes creating specialized Firefighter IDs that are assigned critical access and can be linked to normal user IDs for short periods of time when access is needed. The document outlines the key parameters and setup steps to configure the centralized ID-based Firefighter concept in the GRC system and plugin systems to track and control access to critical transactions.

1. EAM: Emergency Access Management
VIRSA 4.0 ------ > Fire Fighter
GRC AC 5.3 ------- > Super user Privilege Management
GRC AC 10, 10.1 ------- > EAM
Background of this Concept:
 70% of the Authorizations assigned to user, were never used by User
 15 – 20% of the Authorizations are rarely used
T-codes have been categorized as below
 Daily used – Assigned to user on permanent basis (30% Tcodes)
 Rarely used, Never Used = Critical – this access would be assigned only
when required and requested b user (70% T-codes)
Firefighter Concept based on providing access:
ID based
Normal user id will be linked to FF ID for short duration which has critical Access
assigned to it
Role Based
FF role will be assigned to normal user based on the request and also for short
duration

2. FF Concept based on Login:
 Centralized FF - Login from GRC system – GRAC_SPM or GRAC_EAM (T-
codes)
 Decentralized FF – Login from Plug In system and execute T-code
/n/GRCPI/GRIA_EAM

3. Centralized - ID based firefighting concept set up:
1) We need following ids as mentioned below
GRC system – FF, FF ID Owner, FF ID Controller
Plug in System (ECC) – FF, FF ID
ID Based:
 Firefighter – Normal User (dialog) or person who uses FF ID
 FF ID – Special id which is of Service User Type assigned with critical access
SAP_GRAC_SPM_FFID: Role that has to be assigned to every FF ID
 FF ID Owner – Person who approves FF Access to user and also responsible
for assigning FF ID to normal user
 FF ID Controller – person who monitors the activity done by user (FF) using
the FF ID
Role Based:
 FF
 FF Role Owner
 FF Role Controller
2) Define /Declare FF ID Owner and FF ID Controller in the Access Control
Owners link.
NWBC ------ > Set Up ----- > Access Owners
3) Mapping FF ID Owner and FF ID controller to the FF ID
NWBC ---- > Set Up ---- > Super User Assignment ------ > Owners
NWBC ---- > Set Up ---- > Super User Maintenance ------ > Controllers
4) Define Reason Codes
NWBC ---- > Set Up ---- > Super User Maintenance ------ > Reason Codes

4. This is the task done by us if ARM is not implemented
5) Linking FF ID with FF (normal user id)
NWBC ---- > Set Up ---- > Super User Assignment ------ > FF IDs
Or
NWBC ---- > Set Up ---- > Super User Maintenance ------ > Firefighters
If the FF ID is not visible in GRC system what could be the Reasons?
1) 4010 Parameter role is not assigned to FF ID
2) Sync job is not run
Note: Never assign SAP_ALL to FF ID
Logs are generated for each and every T-code and FF ID Controller is not
interested in review of logs for daily used t-codes. Hence only Critical T-codes
access should be assigned to FF ID
SAP_GRAC_SPM_FFID: Role that has to be assigned to every FF ID.
Whichever role is mentioned in parameter 4010, that role has to be assigned to
every FF ID in plug in systems
If this is custom role, that should be copy of SAP_GRAC_SPM_FFID
4000 Series is related to EAM/FF
4010: FF ID role - SAP_GRAC_SPM_FFID (Identifier Role – Which ever user id is
assigned with this role, that ID is considered as FF ID in GRC system)
4000: ID based or Role based
4001: Default Firefighter Validity Period (Days)
4015: Centralized or Decentralized
Note: 4015 Parameter was launched from SP10 and above. Earlier to that, only
centralized concept is available by default.

5. FF ID Linking with Normal User is done in 2 ways
 Manually
 Automated – Workflow
Disadvantages of Role Based:
1) User is not conscious about using the FF role
2) User unknowingly uses the FF access
Disadvantage of Centralized FF concept:
1) When GRC system is down, FF concept cannot be used in any plug in system.
2) All the users who ever exist in Plug in systems should also exist in GRC system.

6. BASIS Team
 FFID_BASIS1
 FFID_BASIS2
 FFID_BASIS3
Finance Team
 FFID_FIN1
 FFID_FIN2
 FFID_FIN3
Some Clients have dedicated FFID to every user in the Org
BASIS Team
 U1 : FF_U1
 U2 : FF_U2
 U3 : FF_U3
SAP_ALL should not be assigned to FF ID? (Daily used tcodes should not be
assigned to FF ID)
 There is no use of creating separate FF ID team wise
 Unnecessary logs will be generated and it is difficult for Controller to
monitor. He will lose interest in reviewing the logs.
Advantages of FF concept:
1) Tracking the usage of critical TCodes
2) Minimize the total risk count in the organization

7. If FF ID is not visible in GRC system, what could be the reasons?
1) Sync Job
2) The role under 4010 parameter is not assigned to FF ID.
FF LOGS:
NWBC ----- > Reports & Analytics ------ > EAM Reports
1) FF log Summary Report
Disadvantage of Role Based:
User is not aware (not conscious) of the T-code used , is part of Normal role or FF
role.