Expand +



How to Automate Firefighter ID Reviews Using SAP Access Control 10.1

by Joshu Madina, Associate Architect, SAP Labs India Pvt. Ltd

December 29, 2017

Learn about the different aspects and flexibility of Firefighter ID review requests in SAP Access Control 10.1. Firefighter ID review is an automated process to review the Firefighter ID assignments of the firefighters made by the firefighter owners and controllers and to remove Firefighter ID assignments.

Firefighter ID review is a new feature introduced in SAP Access Control 10.1 Support Package 16 to review the Firefighter ID assignments and remove the assignments.  

Periodic assessments can be performed for the Firefighter ID assignments of the firefighter users. These assignments are reviewed by their owners and controllers. Based on the usage of the Firefighter ID by the Firefighter users, the assignments can be deleted or continued. 

Business Configuration Set (BC Set) Activation

Activate the BC Set GRC_MSMP_CONFIGURATION using transaction code SCPR20. This transaction enables the multi-stage, multipath (MSMP) process ID SAP_GRAC_FFID_REVIEW for Firefighter ID reviews. During the activation of the BC Set select these options:

  • Do not overwrite Default Values
  • Expert mode  
Work Flow Settings for Firefighter ID Reviews

A new MSMP process ID has been introduced for the Firefighter ID review workflow approvals (i.e., SAP_GRAC_FFID_REVIEW). Using this ID, firefighter owners and controllers receive the workflow items and notifications to review the Firefighter ID assignments for the firefighters. You can maintain the workflow for a Firefighter ID review by following menu path SPRO > Governance, Risk and Compliance > Access Control > Workflow for Access Control > Maintain MSMP Workflows (Figure 1). You can find the new MSMP process ID SAP-GRAC_FFID_REVIEW in the process workflow settings.

Figure 1
Workflow process

Select the process ID SAP_GRAC_FFID_REVIEW. Check and maintain the rules by navigating to Maintain Rules as shown in Figure 2. By default, it has agent rules for:

  • Initiator rule (GRAC_FFREVIEW_INITIATOR)
  • Notification variable rule (GRAC_NOTIF_VAR_RULE_FFREVIEW)

You can add, modify, or delete the rules, and rule types can be BRFPlus or BRFPlus flat rules, ABAP class-based rules, or function module-based rules.

Figure 2
Maintain rules

Click the Maintain Agents button to check and maintain the agents as shown in Figure 3. Go to edit mode and to define new agents click the Add button shown in Figure 3. Also, selected agents can be modified or deleted by clicking the Modify and Delete buttons, respectively.

Figure 3
Maintain agents

Click Variables & Templates to check and maintain the variables and templates as shown in Figure 4. It has the following default variables and templates:


Default variables and templates are delivered by SAP Access Control; however, you can maintain customized variables and templates. To create a new template, click the Add button. Also, variables can be added by clicking the Add button in the Notification Variables section shown in Figure 4.

Figure 4
Variables and templates

Click Maintain Paths to check and maintain paths as shown in Figure 5. The default path is GRAC_DEFAULT_PATH and it has two stages: GRAC_DEFAULT_STAGE is for owners and GRAC_CONTROLLER_STAGE for controllers.

Figure 5
Default path for Firefighter ID reviews

For example, there is a Firefighter ID request under review at the Owner stage, and if the owner does not respond to the review request in five minutes, the user wants to escalate to the Controller stage for further review. In this example, you can set escalation by clicking the Modify Task Settings button. In the pop-up screen that appears (Figure 6), go to the Escalation Type field and select the escalation type as Skip To Next Stage. In the Escalation Time Mins field, specify the time for escalation in minutes. Click the Save button to save your data.

Figure 6
Escalation settings

Click Main Route Mapping to check and maintain route mapping as shown in Figure 7. The default rule ID is GRAC_FFREVIEW_INITIATOR with rule result value GRAC_DEFAULT_RESULT. For example, you can add additional paths by clicking the Add button.

Figure 7
Route mapping

Once the above six steps are done, click the Generate Versions button to generate and activate the workflow in the Generate Version step as shown in Figure 8. By clicking the Activate button, a user can generate the workflow. The system generates a new version of the workflow, where the user can enter the transport request number and transport the workflow to different systems if required.

Figure 8
Generate the versions

Work Flow Settings for Firefighter ID Reviews

GRAC_FFREV is a new background job activity name, which is introduced for submitting the background jobs for the Firefighter ID reviews.

Implement SAP Note 2491708 (AC 10.1 EAM: Missing Firefighter ID Review in Background Job Scheduler). Implementing this note enables a new background job ID for the Firefighter ID review. 

GRAC_FFREV: Generates data for access request Firefighter ID review

Administrators can schedule new jobs using menu path NWBC > Access Management > Scheduling > Background Scheduler > Create. This path takes you to Figure 9.

Figure 9
Schedule a background job

Specify the Schedule Name and select the Schedule Activity as Generates data for access request Firefighter ID review. Select the Start immediately radio button (for recurring jobs select Yes for the Recurring Plan radio button and specify a recurring range, frequency, and recurrence). Click the Next button to display the screen in Figure 10.

Figure 10
Selection criteria for the Firefighter ID review

Figure 10 contains the selection criteria Connector Id, Controller, Criticality Level, Firefighter ID, Firefighter, Last Executed, Owner, and Firefighter Validity. Review requests are generated based on these selections that are to be reviewed by the owners and controllers. For example, I have provided only the Connector Id name to create the FFR Requests for the entire system. Click the Next button to go to the review page (Figure 11). If you find something wrong in Figure 10, you can go to the previous step and correct the error.

Figure 11
Review the selections

Click the Finish button to submit the background job. The system then submits a background job (Figure 12).

Figure 12
Successful background job submission

Search Request

After the background job is submitted, you can search the Firefighter ID review requests in the Search Request section by using menu path NWBC > Access Management > Access Request Administration > Search Requests. This path takes you to Figure 13.

Figure 13
Search request

Select the Process ID as Firefighter ID Review Workflow and click the Search button. This action lists all the generated requests as shown in Figure 14.  

Figure 14
Search request results

Work Inbox

In the work inbox, firefighter owners are notified of the requests for their reviews and approvals. To access the work inbox, follow menu path NWBC > My Home > Work Inbox. For example, owner MADINA received a workflow item that will open the work items (Figure 15).

Figure 15
Work Inbox

To review requests, click the hyperlink under the Subject column. This action displays the screen in Figure 16

Figure 16
Request review by owner

Owners can approve or remove the Firefighter ID and then submit the request by clicking the respective buttons highlighted in Figure 16. Then the request moves to the next stage (i.e., the Controller stage, which takes you to Figure 17).

Figure 17
The Controller stage

The Controller can take an appropriate action such as approving the assignments or removing the Firefighter ID assignments from the firefighters.

An email has been sent to:


Joshu Madina

Joshu Madina is an associate architect at SAP Labs India Pvt. Ltd. He has a total of 11 years of experience in software development. Since 2005 he has been working at SAP Labs and involved in various phases of development and maintenance of SAP Access Control 4.0, 5.3, 10.0, and 10.1. He has expertise in Emergency Access Management, Access Risk Analysis, Mitigations, Access Request, Business Role Management, and SAP security and authorization concepts.


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!