Use

In this IMG activity you configure the parameters to specify log, critical transactions, role, and ID activities.

Example

Requirements

Standard settings

Recommendation

Activities

Define Remote Function Call (RFC) Destination

Superuser Privilege Management requires an RFC destination to call a specific RFC-enabled function module. Each time a ID logs in and creates a new session, the new session is opened using the RFC. The RFC destination must be basic with no access or users attached to it. Superuser Privilege Management can be configured for use with an existing SAP RFC. To define a new RFC destination, use transaction SM59.

The RFC parameter specifices the name of the remote function call.

1. After creating an RFC for Firefighter, enter this name in the Parameter Value column of the FireFighter Configuration Table.

2. Click the Save icon.

Scheduling Background Job for Logging

The Superuser Privilege Management background job monitors the use of firefighter IDs and records login events and transaction usage. The background job must be scheduled to generate and view the Firefighter Log report. To schedule a background job, use transaction SM36.

1. Run transaction SM36.

2. Enter a Job name.

3. Enter a Job class. It is recommended that you use the hightest priortiy setting.

4. Specify a Target server (optional).

5. Click Start Condition. The Start Time dialogue box appears.

6. Click Immediate.

7. Check Period job.

8. Click Period values and specify a time interval. It is recommended that you run this background job on an hourly basis.

9. Click the Save icon. The Define Background Job screen appears.

10. Click Step. The Create Step dialogue box appears.

11. Click ABAP program.

12. Enter the same job name in the Name field.

13. Enter a Variant (optional).

14. Click the Save icon. The Define Background Job reappears.

15. Click the Save icon to save the background job.

Firefighter ID Creation

A Firefighter ID is a userID with specific roles that allow the Firefighter to perform the required tasks in a firefighting situation. Use transaction SU01 to create Firefighter IDs.

Create Firefighter ID users as type Service, rather than Dialog, so passwords do not expire.

Note: Firefighter IDs cannot be used for SAP logins. Do not use existing userIDs as Firefighter IDs.

Upload Role Definitions for Superuser Privilege Management Users

Superuser Privilege Management provides pre-delivered roles for all firefighter users. You can customize these roles according to specific naming conventions and needs. Below are the names and intended users of the pre-delivered firefighter roles.

User    Role Names            Access

Administrators    /VIRSA/Z_VFAT_ADMINISTRATOR            Configure, create and assign IDs

Owners     /VIRSA/Z_VFAT_ID_OWNER            Resolves IDs issues

Firefighters    /VIRSA/Z_VFAT_FIREFIGHTER            Complete activities in emergency

These roles are delivered in a .DAT file. To install the .DAT roles, use transcation PFCG.

Assigning Roles to Users

Each user must be assigned a role.

Use transaction SU01 or PFCG to assign the firefighter roles to firefighter users. Pre-defined roles do not include the basic SAP system access required for functions such as printing, transaction SU53, and other no    n-firefighter provisioning.

Customizing Role Definitions

When you customize user roles, try to follow the existing naming standards, so the purpose of each customized role is clear.

Conformance to Naming Standards

1. Run transcation PFCG.

2. Enter the firefighter role name (such as, /VIRSA/Z_VFAT_ADMINISTRATOR).

3. Click Copy and specify the Destination Activity Group (or Role).

4. Generate the role to ensure the related authorizations are created.

5. Repeat Step 1 through Step 4 to customize the other firefighter roles.

Customizing Role Authorizations to Your Needs

To customize the authorizations in the roles, consult your User/Security Administrator. Firefighter authorization object documentation specifies the significance of each object and field to help customize the authorizations of firefighter roles.

Maintaining Configuration Parameters

For detailed definition information on the configuration parameters refer to the Superuser Privilege Management User Guide documentation and Superuser Privilege Management Configuration Guide. The following table list the configuration parameters and the configuration settings.

Parameter Name                Behavior

Retrieve Change Log                Yes - to capture transaction and change log information.

                No - to capture only the transaction log information.

Critical Transaction Table from RAR Component                 Yes - to use the critical transactions defined in Risk Analysis and Remediation component.

                No - to use the critical transaction defined in this component.

Assign Roles Instead of IDs                Yes - to use firefighter roles. Set Default Role Expiration in Days

                No - (Default) to use firefighter IDs.

Default Role Expiration in Days                Specify the number of days in which the role expires using the To/From dates. If you do not specify any days, then you must use the SAP calendar. When you assign valid From and valid To dates , these dates overrides the dates in this parameter.

Owner Additional Authorization                Yes - to allow only the defined owner of firefighter IDs to view and assign the firefighter ID.

                No - to allow any owner to view and assign that firefighter ID.

Configuration Change Comment Mandatory                Yes - to make this comment mandatory.

                No - to make this comment optional.

Controller Additional Authorization                Yes - to allow only the user to maintain controllers for those firefighter IDs ofr which the user is owner or adminsitrator.

                No - to allow any user to maintain controllers.

Send Log Report with Critical Transaction Only                Yes - to send a log report that only contains critical transactions.

                No - to send a log report that contains all transactions.

Send Log Report Execution Notification                Yes - to send an email to a controller with firefighter log information.

                No - to not send email information to a controller.

Send Log Report Execution Immediately                Yes - to send log report email notification to the controller as soon as the /VIRSA/ZVFATBAK job runs.

                No - if you plan to schedule the job /VIRSA/ZVFAT_LOG_REPORT report at different intervals.

Send Firefighter Login Notification                 Yes - to send an email to a controller with firefighter log information.

                No - to not send email information to a controller.

Send Login Notification Immediately                Yes - to send an email to a controller with firefighter login information after each login.

                No - to schedule the /VIRSA/ZVFAT_LOG_NOTIFICATION report at different intervals and you plan to schedule these intervals with a different scheduling tool.

Further notes