- SAP Community
- Products and Technology
- Additional Q&A
- Why Role based Firefighter
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Why Role based Firefighter
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 08-07-2008 8:09 AM
Hello Folks,
What is the difference between Role based and Firefighter Id based Firefighting from an organization point of view.
The general practice is to go with Firefighter ID but I want to know a situation when Firefighter Role based strategy can be an advantage over the other.
In the user guide it is not mentioned when and why Role based Firefighter should be used.
Thanks in advance,
Amol Bharti
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Are you asking how to assign users to Firefighter ID's? If so the options are user based or role based. With user based assignment an administrator or FF ID owner logs into the FF application and assigns users to FF IDs. With role based assignment roles are mapped to FF IDs so all you have to do to give a user FF access is assign them to a SAP role.
Thanks
Dave Wood
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello David,
Thanks for your reply, but my question was:
What is the difference between Role based and Firefighter Id based Firefighting from an organization point of view.
The general practice is to go with Firefighter ID but I want to know a situation when Firefighter Role based strategy can be an advantage over the other.
In the user guide it is not mentioned when and why Role based Firefighter should be used.
Technically i am aware how to configure but i wanted to digg into the requirement of the functionality itself.
Best Regards,
Amol Bharti
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
FF access via role assignments can be approved and provisioned in Access Enforcer (AE). Firefighter access can also be removed via Access Enforcer by submitting a request to remove the firefighter roles. FF access approvals are captured in the AE audit trail. The business reason for requesting/approving the access can also be captured in the comment section of AE.
FF access could be granted only after appropriate approvals EVERY time a user needs FF access. Each time a request for the FF role through AE (the request could go through a separate workflow path) and the request will be approved before being provisioned to the user. The approver can change the validity dates on the role assignment so that it can be provisioned for one day, for a week, a month, etc... An audit trail in AE will provide the approver information for historical purposes. This meets the policy of approvals every time FF access is provided instead of the 24/7 master data set-up in the original Firefighter process.
When running an SOD risk analysis on the user, the report will show the SODs the user has including their Firefighter access. (These SODs would then be mitigated per user even though they are a Firefighter.) There is a risk to the company when a firefighter can do one half of the risk on their own user ID and the second half of the risk on their Firefighter ID. Although this could still be caught, it would take some manual analysis. By using role-based Firefighter, all activities are performed and recorded under the user's normal user ID.
The Firefighter does not need to "check-out" a Firefighter ID the access is on their normal user ID.
The standard SAP audit trails have the user IDs instead of the firefighter IDs, so when researching the change, the firefighter logs don't need to be analyzed to see which user had used that Firefighter ID at that time.
Answers (2)
Answers (2)
koehntopp
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Role based Firefighter is an easy way to log critical actions.
My main gripe with that is that the user will not be aware of doing anything critical - you do not get the login screen with reason code / description, which IMHO has a huge psychological effect on users (ignoring the obvious audit advantages) because it makes them aware that they're doing something out of the ordinary.
My advise: you'll want to use FF IDs most of the time.
Frank.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Amol-
In all my previous implementations, clients have always chosen to go the way of FF ID's. One of the reasons why a company would use Role-based FF, would be to avoid extra licensing fees in Production. Or if they are not following best practices and assigning a large (>100) number of Fire Fighters...
Ankur
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- SAP Cloud ALM and Identity Authentication Service (IAS) in Technology Blogs by SAP
- Jumpstart your cloud ERP journey with guided enablement in RISE with SAP Methodology in Enterprise Resource Planning Blogs by SAP
- SAP S4HANA Cloud Public Edition Logistics FAQ in Enterprise Resource Planning Blogs by SAP
- SAP Business Network for Logistics 2404 Release – What’s New? in Supply Chain Management Blogs by SAP
- Demystifying the Common Super Domain for SAP Mobile Start in Technology Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.