
FFID's were a commonly used by many users in a system. Users can request for FFID and upon approval by the owner. In many cases, FFIDs are mis-used and owners without validating the actual requirement may approve the request. To avoid this risk, SAP introduced a new process which can be enabled with parameter 4026 - Configure which connector uses dedicated/single Firefighter ID (Refer to SAP Note: 3036192 for more detailed information.)
Enabling this will ensure that enterprises can setup the Firefighter ID according to their organization policies. Parameter 4026 provides 4 possible parameter values:
Parameter value | Description |
ALL ONE | All SUPMG connectors with one dedicated FFID per system |
ALL DEDI | All SUPMG connectors with many dedicated FFID per system |
CONF ONE | Configured connectors with one dedicated FFID per system |
CONF DEDI | Configured connectors with many dedicated FFID per system |
NONE | No connectors with dedicated FFID per system (disabled) |
Note: Keep in mind that this setting only applies when you're asking for FFIDs through the Access Request feature/interface. Administrators can still assign as many FFIDs as they need to each user from NWBC (direct method).
Let’s delve deep on each of these options:
Parameter Value - ALL ONE
When the parameter value is set to “ALL ONE” - All SUPMG connectors with one dedicated FFID per system, the "One FFID per user per system" setting is activated for ALL systems within the SUPMG integration scenario. Under this configuration, a user is limited to having only one FFID per system.
User may request for the FireFighter ID via the Access Request form as shown below:
Image - Access Request form with FFID request selection
Once a FFID is assigned to a user, it's no longer an option for selection and is taken off the list of available FFIDs for other users. This ensures that the same FFID isn't chosen or requested by multiple users. See the example below:
Image - Available FFID screen with blank entries
Similarly, other users can’t see the same FFID as it has an active assignment.
Parameter Value - ALL DEDI
When the parameter value is set to “ALL DEDI” - dedicated FFID's per system is switched on to ALL system in the SUPMG integration scenario. With this setting, a user can have multiple FFIDs in the same system, but once the FFID is assigned/active to one user, it is not visible for the other users.
Image – EAM Launchpad with 2 different FFIDs
Parameter Value - NONE
The functionality is switched off, meaning there's no filtering or validation in place. You're free to assign as many FFIDs as necessary to as many users as needed. This reflects the current operation methodology of the EAM application.
Parameter Value – CONF ONE
One FFID per user per system is switched on to only CONFIGURED system. A user can only have a single FFID in a configured system, and many in the non-configured systems.
Parameter Value – CONF DEDI
Dedicated FFID's per system is switched on to CONFIGURED system. A user can have many FFID in all the systems, however one FFID is only assigned to a single user in a configured system.
In conclusion, the introduction of parameter 4026 in SAP GRC Access Control offers organizations the ability to tailor their Firefighter ID (FFID) assignment processes according to their specific needs and security policies. By enabling this parameter, administrators gain control over how FFIDs are allocated and managed within their systems. Go ahead and explore more on how this new feature can simplify the way you are working with the EAM application.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 | |
1 |