Parameter 4026: Transforming Your Approach to EAM Application in SAP GRC Access...

FFID's were a commonly used by many users in a system. Users can request for FFID and upon approval by the owner. In many cases, FFIDs are mis-used and owners without validating the actual requirement may approve the request. To avoid this risk, SAP introduced a new process which can be enabled with parameter 4026 - Configure which connector uses dedicated/single Firefighter ID (Refer to SAP Note: 3036192 for more detailed information.)

Enabling this will ensure that enterprises can setup the Firefighter ID according to their organization policies. Parameter 4026 provides 4 possible parameter values:

Parameter value	Description
ALL ONE	All SUPMG connectors with one dedicated FFID per system
ALL DEDI	All SUPMG connectors with many dedicated FFID per system
CONF ONE	Configured connectors with one dedicated FFID per system
CONF DEDI	Configured connectors with many dedicated FFID per system
	No connectors with dedicated FFID per system (disabled)

Note:  Keep in mind that this setting only applies when you're asking for FFIDs through the Access Request feature/interface. Administrators can still assign as many FFIDs as they need to each user from NWBC (direct method).

Let’s delve deep on each of these options:

Parameter Value - ALL ONE

When the parameter value is set to “ALL ONE” - All SUPMG connectors with one dedicated FFID per system, the "One FFID per user per system" setting is activated for ALL systems within the SUPMG integration scenario. Under this configuration, a user is limited to having only one FFID per system.

User may request for the FireFighter ID via the Access Request form as shown below:

Image - Access Request form with FFID request selection

Once a FFID is assigned to a user, it's no longer an option for selection and is taken off the list of available FFIDs for other users. This ensures that the same FFID isn't chosen or requested by multiple users. See the example below:

Image - Available FFID screen with blank entries

Similarly, other users can’t see the same FFID as it has an active assignment.

Parameter Value - ALL DEDI

When the parameter value is set to “ALL DEDI” - dedicated FFID's per system is switched on to ALL system in the SUPMG integration scenario. With this setting, a user can have multiple FFIDs in the same system, but once the FFID is assigned/active to one user, it is not visible for the other users.

Image – EAM Launchpad with 2 different FFIDs

Parameter Value - NONE

The functionality is switched off, meaning there's no filtering or validation in place. You're free to assign as many FFIDs as necessary to as many users as needed. This reflects the current operation methodology of the EAM application.

Parameter Value – CONF ONE

One FFID per user per system is switched on to only CONFIGURED system. A user can only have a single FFID in a configured system, and many in the non-configured systems.

Parameter Value – CONF DEDI

Dedicated FFID's per system is switched on to CONFIGURED system. A user can have many FFID in all the systems, however one FFID is only assigned to a single user in a configured system.           

In conclusion, the introduction of parameter 4026 in SAP GRC Access Control offers organizations the ability to tailor their Firefighter ID (FFID) assignment processes according to their specific needs and security policies. By enabling this parameter, administrators gain control over how FFIDs are allocated and managed within their systems. Go ahead and explore more on how this new feature can simplify the way you are working with the EAM application.