Using SAP Firefighter ID from an ABAP Perspective: Monitoring and Auditing Emergency Access

In SAP systems, the production environment is typically the layer with the strictest security rules. Any changes here are tightly controlled, as they directly affect live business processes. However, there are exceptional situations where a developer or support specialist may need to intervene urgently in the live system. For such cases, SAP provides a special solution within the GRC module: Firefighter ID.

Scenario-Based Introduction: A customer reports that a vendor invoice, which they rejected via the Invoice Cockpit in the live SAP system, still shows an unchanged status. This process relies on a backend web service, and the issue may only occur in the live system due to a real-time connectivity issue that cannot be replicated in the test environment. To analyse the problem, a developer is temporarily assigned a Firefighter ID and performs a debug session in production. After reviewing the system’s response, the issue is identified. But how is every step of this emergency access tracked and audited by the system? What is a Firefighter ID? Firefighter ID is a user profile defined within the SAP GRC (Governance, Risk, and Compliance) module that grants authorized users time-limited and monitored access to the production system. The goal is to enable emergency access while ensuring that the activity is transparent, auditable, and fully logged.

How is Firefighter Access Audited? When a Firefighter ID is used, the system logs the access in detail. These logs can be reviewed through the following methods: 1. Log Tracking with Security Audit Log (SM20)

All session activities performed with the Firefighter ID can be monitored at the command level via the SM20 transaction.

2. Firefighter Log Tables

Some important log tables include:

• /VIRSA/ZVFATLOG: Contains the main logs for Firefighter activities.

• /GRCPI/GRIA_FF_LOG: An alternative log table used for GRC version 10 and above. These tables may contain:
  

  Who used the Firefighter ID

  Start and end time of access

  Executed transaction codes

  Specific operations performed by the user

Creating a Firefighter Report with ABAP You can create a simple ABAP report to extract Firefighter ID activity logs from the system:

SELECT * FROM /virsa/zvfatlog
  INTO TABLE @DATA(lt_ff_logs)
  WHERE firefighterid = 'FF_DEV01'
    AND action_date BETWEEN '20250401' AND '20250425'.

LOOP AT lt_ff_logs INTO DATA(ls_log).
  WRITE: / ls_log-action_date, ls_log-transaction_code, ls_log-username
ENDLOOP.

This snippet lists the actions of a specific Firefighter ID over a selected date range. Since table structures may vary across systems, analyzing them with SE11 or ST05 can be helpful. Advanced Tip: Automating Firefighter Reporting In some organizations, GRC’s built-in reports may not be sufficient. An ABAP program can be developed to: - Generate PDF or Excel reports of Firefighter usage within a specific date range

- Automatically send these reports to audit teams via email (using CL_BCS) - Highlight any violations, errors, or unauthorized actions Conclusion Firefighter ID is a critical tool for managing emergency access in SAP systems. While it serves an essential role, it can pose security risks if not properly managed. Therefore, it must be correctly configured within GRC and transparently monitored from the ABAP side. In this article, we’ve examined how to track Firefighter access with ABAP, which tables to use, and how to build reports from them.

If you want to avoid security loopholes in your production system, always keep an eye on your Firefighter logs.