Firefighter ID review is a new feature introduced in SAP Access Control 10.1 Support Package 16 to review the Firefighter ID assignments and remove the assignments.
Periodic assessments can be performed for the Firefighter ID assignments of the firefighter users. These assignments are reviewed by their owners and controllers. Based on the usage of the Firefighter ID by the Firefighter users, the assignments can be deleted or continued.
Business Configuration Set (BC Set) Activation
Activate the BC Set GRC_MSMP_CONFIGURATION using transaction code SCPR20. This transaction enables the multi-stage, multipath (MSMP) process ID SAP_GRAC_FFID_REVIEW for Firefighter ID reviews. During the activation of the BC Set select these options:
- Do not overwrite Default Values
- Expert mode
Work Flow Settings for Firefighter ID Reviews
A new MSMP process ID has been introduced for the Firefighter ID review workflow approvals (i.e., SAP_GRAC_FFID_REVIEW). Using this ID, firefighter owners and controllers receive the workflow items and notifications to review the Firefighter ID assignments for the firefighters. You can maintain the workflow for a Firefighter ID review by following menu path SPRO > Governance, Risk and Compliance > Access Control > Workflow for Access Control > Maintain MSMP Workflows (Figure 1). You can find the new MSMP process ID SAP-GRAC_FFID_REVIEW in the process workflow settings.
Figure 1
Workflow process
Select the process ID SAP_GRAC_FFID_REVIEW. Check and maintain the rules by navigating to Maintain Rules as shown in Figure 2. By default, it has agent rules for:
- Requester (GRAC_MSMP_REQUESTER_AGENT)
- Owner (GRAC_MSMP_FFOWNER_AGENT)
- Controllers (GRAC_MSMP_FFCNTRL_AGENT)
- Initiator rule (GRAC_FFREVIEW_INITIATOR)
- Notification variable rule (GRAC_NOTIF_VAR_RULE_FFREVIEW)
You can add, modify, or delete the rules, and rule types can be BRFPlus or BRFPlus flat rules, ABAP class-based rules, or function module-based rules.
Figure 2
Maintain rules
Click the Maintain Agents button to check and maintain the agents as shown in Figure 3. Go to edit mode and to define new agents click the Add button shown in Figure 3. Also, selected agents can be modified or deleted by clicking the Modify and Delete buttons, respectively.
Figure 3
Maintain agents
Click Variables & Templates to check and maintain the variables and templates as shown in Figure 4. It has the following default variables and templates:
- GRAC_FFR_APPROVED
- GRAC_FFR_ESCALATION
- GRAC_FFR_REJECTED
- GRAC_FFR_WORK_ITEM
- GRAC_MSMP_FFR_FORWARD
Default variables and templates are delivered by SAP Access Control; however, you can maintain customized variables and templates. To create a new template, click the Add button. Also, variables can be added by clicking the Add button in the Notification Variables section shown in Figure 4.
Figure 4
Variables and templates
Click Maintain Paths to check and maintain paths as shown in Figure 5. The default path is GRAC_DEFAULT_PATH and it has two stages: GRAC_DEFAULT_STAGE is for owners and GRAC_CONTROLLER_STAGE for controllers.
Figure 5
Default path for Firefighter ID reviews
For example, there is a Firefighter ID request under review at the Owner stage, and if the owner does not respond to the review request in five minutes, the user wants to escalate to the Controller stage for further review. In this example, you can set escalation by clicking the Modify Task Settings button. In the pop-up screen that appears (Figure 6), go to the Escalation Type field and select the escalation type as Skip To Next Stage. In the Escalation Time Mins field, specify the time for escalation in minutes. Click the Save button to save your data.
Figure 6
Escalation settings
Click Main Route Mapping to check and maintain route mapping as shown in Figure 7. The default rule ID is GRAC_FFREVIEW_INITIATOR with rule result value GRAC_DEFAULT_RESULT. For example, you can add additional paths by clicking the Add button.
Figure 7
Route mapping
Once the above six steps are done, click the Generate Versions button to generate and activate the workflow in the Generate Version step as shown in Figure 8. By clicking the Activate button, a user can generate the workflow. The system generates a new version of the workflow, where the user can enter the transport request number and transport the workflow to different systems if required.
Figure 8
Generate the versions
Work Flow Settings for Firefighter ID Reviews
GRAC_FFREV is a new background job activity name, which is introduced for submitting the background jobs for the Firefighter ID reviews.
Implement SAP Note 2491708 (AC 10.1 EAM: Missing Firefighter ID Review in Background Job Scheduler). Implementing this note enables a new background job ID for the Firefighter ID review.
GRAC_FFREV: Generates data for access request Firefighter ID review
Administrators can schedule new jobs using menu path NWBC > Access Management > Scheduling > Background Scheduler > Create. This path takes you to Figure 9.
Figure 9
Schedule a background job
Specify the Schedule Name and select the Schedule Activity as Generates data for access request Firefighter ID review. Select the Start immediately radio button (for recurring jobs select Yes for the Recurring Plan radio button and specify a recurring range, frequency, and recurrence). Click the Next button to display the screen in Figure 10.
Figure 10
Selection criteria for the Firefighter ID review
Figure 10 contains the selection criteria Connector Id, Controller, Criticality Level, Firefighter ID, Firefighter, Last Executed, Owner, and Firefighter Validity. Review requests are generated based on these selections that are to be reviewed by the owners and controllers. For example, I have provided only the Connector Id name to create the FFR Requests for the entire system. Click the Next button to go to the review page (Figure 11). If you find something wrong in Figure 10, you can go to the previous step and correct the error.
Figure 11
Review the selections
Click the Finish button to submit the background job. The system then submits a background job (Figure 12).
Figure 12
Successful background job submission
Search Request
After the background job is submitted, you can search the Firefighter ID review requests in the Search Request section by using menu path NWBC > Access Management > Access Request Administration > Search Requests. This path takes you to Figure 13.
Figure 13
Search request
Select the Process ID as Firefighter ID Review Workflow and click the Search button. This action lists all the generated requests as shown in Figure 14.
Figure 14
Search request results
Work Inbox
In the work inbox, firefighter owners are notified of the requests for their reviews and approvals. To access the work inbox, follow menu path NWBC > My Home > Work Inbox. For example, owner MADINA received a workflow item that will open the work items (Figure 15).
Figure 15
Work Inbox
To review requests, click the hyperlink under the Subject column. This action displays the screen in Figure 16.
Figure 16
Request review by owner
Owners can approve or remove the Firefighter ID and then submit the request by clicking the respective buttons highlighted in Figure 16. Then the request moves to the next stage (i.e., the Controller stage, which takes you to Figure 17).
Figure 17
The Controller stage
The Controller can take an appropriate action such as approving the assignments or removing the Firefighter ID assignments from the firefighters.