- SAP GRC Tutorial
- SAP GRC - Home
- SAP GRC - Overview
- SAP GRC - Navigation
- SAP GRC - Access Control
- Access Management Work Center
- Access & Authorization Mngmt
- SAP GRC - Authorization
- Access Control Launchpad
- Integration with Access Control
- SAP GRC - Integration with IAM
- SAP GRC - Audit Universe
- Process Control Work Centers
- SAP GRC - SoD Risk Management
- SAP GRC - Risk Management
- SAP GRC - Risk Remediation
- SAP GRC - Mitigation Controls
- SAP GRC - Superuser Privilege
- SAP GRC - Implementing Superuser
- SAP GRC - Enhanced Risk Analysis
- Assigning Mitigation Controls
- SAP GRC - Workflow Integration
- Installation and Configuration
- Data Sources and Business Rules
- SAP GRC - Creating Business Rules
- SAP GRC Useful Resources
- SAP GRC - Questions & Answers
- SAP GRC - Quick Guide
- SAP GRC - Useful Resources
- SAP GRC - Discussion
SAP GRC - Implementing Superuser
Let us now understand how to implement Superuser.
You can implement firefighter IDs by working on the following steps −
Step 1 − Create Firefighter IDs for each business process area
Step 2 − Assign necessary roles and profiles to carry firefighting tasks.
You shouldn’t assign profile SAP_ALL
Step 3 − Use T-Code – SU01
Step 4 − Click Create button to create a new user.
Step 5 − Assign Firefighter roles as mentioned above to user id −
Assign Firefighter roles to applicable user IDs.
Assign administrator role /VIRSA/Z_VFAT_ADMINISTRATOR to superuser privilege management administrator.
Administrator user should not be assigned any firefighting
Assign the standard role /VIRSA/ Z_VFAT_FIREFIGHTER to −
- Firefighter ID − Service user used for logon
- Firefighter user − Standard user acting as a Firefighter in case
Assign the ID owner role /VIRSA/Z_VFAT_ID_OWNER to −
Owner − Responsible for determining who will be assigned to
Controller − Receives notification when the Firefighter ID is responsibilities of emergency Firefighter IDs for his or her business area used.
Step 6 − Go to Roles tab and select the mentioned roles as per the requirement.
Step 7 − Create RFC destination for internal switch to Firefighter ID −
Name − Enter RFC connection name
Connection Type − 3
Enter a Description
(No username, passwords, or other logon data are required)
Enter passwords for each Firefighter ID in the Security table: Passwords are stored as hash values and are unreadable after the administrator saves the value.
Step 8 − To create firefighter log, you can schedule a background job.
Name the job /VIRSA/ZVFATBAK as in the following screenshot −
Superuser Log
Let us understand these steps for Superuser Log.
Step 1 − Use T-Code − Transaction − /n/VIRSA/ZVFAT_V01
Step 2 − You can now find the logs in the toolbox area. 
Step 3 − You can use transaction code — SM37 to review the logs for individual user.
You can also use the web GUI to access all Firefighter information. Go to SAP GRC Access control → Superuser privilege management.
So it is possible to access the data of different Firefighter installations on different SAP backend systems. And it is not necessary to log on to each system anymore.
