SAP GRC Firefighter Setup Explained: Roles, Authorization Objects, and Team Responsibilities

Emergency access in SAP systems must be carefully controlled to prevent misuse of powerful transactions. SAP GRC provides Emergency Access Management (Firefighter) to allow temporary elevated access when production issues occur. However, auditors closely review how Firefighter access is configured, who manages it, and whether proper role segregation exists.

This guide explains the SAP standard roles, authorization objects, required transactions, and responsibility boundaries between SAP Security, SAP Basis, and Functional consultants.

---

Firefighter Administration in SAP GRC

Firefighter administration is managed through GRAC_EAM.

This transaction is the main cockpit used by SAP Security or GRC administrators to:

• Create Firefighter IDs

• Assign Firefighter users

• Maintain Firefighter owners

• Assign controllers

• Monitor emergency access usage

In older SAP GRC implementations, consultants sometimes try to use GRAC_SPM. However, this transaction is mostly deprecated in modern GRC versions and may not properly launch the GRC cockpit.

Instead, many organizations access the GRC interface through NWBC, which provides a web-based interface for Firefighter management and approval workflows.

---

SAP Standard Roles Used in Firefighter Management

SAP provides predefined roles for managing Emergency Access Management.

1. Firefighter Administrator Role

Standard role: SAP_GRAC_SUPER_USER_MGMT_ADMIN

This role is assigned to SAP Security or GRC administrators responsible for managing Firefighter access.

Responsibilities include:

• Creating Firefighter IDs

• Assigning Firefighter users

• Maintaining Firefighter owners and controllers

• Monitoring Firefighter access

Typical transactions included:

• GRAC_EAM

• GRACROLE

• GRACUSER

This role should only be assigned to SAP Security administrators.

---

2. Firefighter Owner Role

Standard role: SAP_GRAC_SUPER_USER_MGMT_OWNER

Firefighter owners are responsible for:

• Approving Firefighter access requests

• Monitoring emergency access justification

• Ensuring access is used only during real production issues

Owners are usually application owners or business leads.

They typically access GRC through:

• NWBC

---

3. Firefighter Controller Role

Standard role: SAP_GRAC_SUPER_USER_MGMT_CONTROLLER

Controllers review Firefighter activity logs after emergency sessions.

Responsibilities include:

• Reviewing Firefighter logs

• Verifying actions taken during emergency access

• Approving or rejecting Firefighter usage

Controllers usually belong to:

• Internal audit teams

• Compliance teams

• SAP security monitoring teams

---

Key Authorization Objects in SAP GRC Firefighter Roles

Proper authorization object configuration is essential for Firefighter administration.

GRAC_ACTVT

This authorization object controls GRC activity permissions.

Important field:

ACTVT

Common activity values include:

• 01 Create

• 02 Change

• 03 Display

• 06 Delete

• 16 Execute

Administrators typically require:

01, 02, 03, and 16.

---

GRAC_SYS

This object controls which SAP systems can be managed in GRC.

Important field:

CONNECTOR

Example values may include:

• ECCCLNT100

• S4PRD

• BWPRD

Without proper connector authorization, administrators cannot manage Firefighter access for those systems.

---

GRAC_ROLE

This object controls role maintenance permissions within GRC.

Important fields include:

ROLE_TYPE
ACTVT

Typical values:

ROLE_TYPE
SINGLE
BUSINESS

ACTVT
01
02
03

---

GRAC_USER

This authorization object controls user assignment capabilities in GRC.

Important fields include:

ACTVT
USER_GROUP

Common activity values:

01 Create
02 Change
03 Display

---

Core SAP Security Transactions Required

SAP Security administrators managing GRC typically require several core SAP security transactions.

These include:

PFCG
Used to create and maintain roles.

SU01
Used for user management and role assignment.

SUIM
Used for reporting and authorization analysis.

These transactions are typically restricted to SAP Security teams only.

---

Access Limitations for SAP Basis Team

SAP Basis consultants are responsible for system administration and technical infrastructure, not application security.

Their typical transactions include:

SM59
Used to maintain RFC connections.

STMS
Used to manage transports across SAP landscapes.

SM37

However, Basis teams should not receive access to security administration transactions, such as:

• PFCG

• SU01

• GRAC_EAM

This separation prevents unauthorized privilege escalation.

---

Access Limitations for SAP Functional Consultants

Functional consultants from modules like FI, MM, SD, or HR are responsible for business process configuration and role validation, not role creation.

Their responsibilities include:

• Identifying required authorization objects

• Validating roles during testing

• Supporting User Acceptance Testing

Functional consultants often analyze authorization failures using:

SU53

However, they should not receive access to:

• PFCG

• SU01

• GRAC_EAM

Instead, they work with SAP Security teams to define role requirements.

---

Why Role Segregation Matters in SAP Audits

Proper segregation between SAP Security, SAP Basis, and Functional consultants is a key governance requirement.

Auditors often verify:

• Firefighter access approval process

• Firefighter log review controls

• Role administration privileges

• Segregation of Duties compliance

If roles are not properly segregated, organizations may face audit findings related to:

• Privileged access misuse

• Unauthorized role assignment capability

• Lack of access governance

Implementing clear responsibility boundaries ensures secure SAP environments and compliance with internal control policies.