SAP GRC - Implementing Superuser

Let us now understand how to implement Superuser.

You can implement firefighter IDs by working on the following steps −

Step 1 − Create Firefighter IDs for each business process area

Step 2 − Assign necessary roles and profiles to carry firefighting tasks.

You shouldn’t assign profile SAP_ALL

Step 3 − Use T-Code – SU01


Step 4 − Click Create button to create a new user.

New User

Step 5 − Assign Firefighter roles as mentioned above to user id −

  • Assign Firefighter roles to applicable user IDs.

  • Assign administrator role /VIRSA/Z_VFAT_ADMINISTRATOR to superuser privilege management administrator.

  • Administrator user should not be assigned any firefighting

  • Assign the standard role /VIRSA/ Z_VFAT_FIREFIGHTER to −

    • Firefighter ID − Service user used for logon
    • Firefighter user − Standard user acting as a Firefighter in case
  • Assign the ID owner role /VIRSA/Z_VFAT_ID_OWNER to −

    • Owner − Responsible for determining who will be assigned to

    • Controller − Receives notification when the Firefighter ID is responsibilities of emergency Firefighter IDs for his or her business area used.

Step 6 − Go to Roles tab and select the mentioned roles as per the requirement.

User Roles Tab

Single Roles

Step 7 − Create RFC destination for internal switch to Firefighter ID −

  • Name − Enter RFC connection name

  • Connection Type − 3

  • Enter a Description

    (No username, passwords, or other logon data are required)

  • Enter passwords for each Firefighter ID in the Security table: Passwords are stored as hash values and are unreadable after the administrator saves the value.

Step 8 − To create firefighter log, you can schedule a background job.

Name the job /VIRSA/ZVFATBAK as in the following screenshot −

Job Name

Superuser Log

Let us understand these steps for Superuser Log.

Step 1 − Use T-Code − Transaction − /n/VIRSA/ZVFAT_V01

Superuser Log

Step 2 − You can now find the logs in the toolbox area. Toolbox Area

Step 3 − You can use transaction code — SM37 to review the logs for individual user.

Log Review

You can also use the web GUI to access all Firefighter information. Go to SAP GRC Access control → Superuser privilege management.

So it is possible to access the data of different Firefighter installations on different SAP backend systems. And it is not necessary to log on to each system anymore.

Log Report
Kickstart Your Career

Get certified by completing the course

Get Started