Discuss business intelligence, integration, compliance and a host of other SAP-related topics – implementation, best practices and resources to negotiate the world of SAP better!

« May 2020 | Main

June 19, 2020

Fire Fighter Log Review Approval in SAP GRC via Email

Emergency Access Management (EAM) enables end users within an organization to carry out emergency activities outside the scope of their standard authorizations, but within controlled and fully auditable environment. Fire-fighter (FF) controller is responsible for monitoring and assessing the pertinence of activity performed by a user using an individual Firefighter ID. The Controller is responsible for reviewing the log report after Fire-fighter session has ended. The controller can review the activities performed by the user and in case of any queries can clarify with the respective user and get relevant documents/details attached to the log review request. This helps in an automated way to review all the activities performed using EAM process. Based on the MSMP configuration maintained in the GRC system, FF controller may be required to approve the FF log in case Fire Fighter Log Review Workflow has been activated in the system.

Standard option available in the SAP GRC system mandates the FF controller to login to NetWeaver Business Client (NWBC) and then take appropriate action (Approve/Reject) which is sometimes very tedious. This also implies FF controllers need proper training about the standard approval process via NWBC. This becomes very difficult for a large organization which is spread across different geographies. Preparation of training material for the same will also demand significant amount of time.

This blog discusses enhancement needed in the SAP GRC system that will send FF log details as an excel attachment to the FF controller so that firefighter session details can be viewed via email only along with option to either approve/reject the FF log WF. This will save significant time and effort for the controller to login to NWBC client to analyze the FF log report and then take appropriate action. Setting up offline approval process for Fire-fighter log review workflow can be done by enabling inbound processing in SAP GRC system.

Sample approval email after implementing enhancement in SAP GRC:



  • This enhancement enables FF controller(s) to action the request directly from email, without the need to login to GRC tool, hence simplifying the overall FF log review process.
  • FF log session details in the email attachment can be viewed and action (Approve/Reject) on the FF log review WF can be taken directly from email.This solution works seamlessly with mobile devices as well.
  • Saves significant time and effort spent on FF log approvals.
  • Reduces the training requirements for FF controllers.

Self-service password reset using email in SAP

Many organizations that run SAP are spending huge time and money on manual password resetting processes. With more and more enterprises adopting SAP software since it offers all-inclusive set of integrated, cross functional processes, there is a need to automate self-service password management in SAP, providing a quick and easy way to ensure business continuity. This blog discusses simple and easy solution to deploy SAP Password Reset using email.

SAP customers spend hefty amount to implement manual password resetting procedure. Most companies make use of the help desk or someone from IT to assist users to reset their SAP passwords. There are also various tools available in the market for SAP Password Reset functionality (e.g. GRC PSS, AuditBOT Password Reset Tool etc.) that mandates companies to purchase their licenses. During the interval, user is not able to login to SAP system, (due to account being locked via incorrect logon attempts). This also impacts employee productivity thereby affecting organization's performance. In some cases, users contact the IT help desk by placing a call which again costs enterprises a lot of money.

Using the self-service SAP Password Reset via email automated process, a user will receive the initial password in fraction of seconds so he/she can they can quickly get back into the system to do his/her work. This solution works by user sending an email to the SAP system via inbound email functionality which will then trigger a custom class to reset the SAP password for the user and sending back the email to the user with Initial Password to login to the SAP system. This solution will work seamlessly in case user master data for the user is maintained in the desired SAP system. User ID is extracted from the email ID of the user using which he/she would have sent an email to SAP system for password reset. Basic validations like user should only be able to reset password in the SAP system in case locked due to incorrect logon attempts are incorporated in this solution. Users can also send email to the SAP system for SAP Password Reset using their mobile devices.

SAP Password Reset Process Flow using Email



SAP password reset using email functionality will have the following benefits for the enterprise:

·         Eliminate the need to dedicate valuable IT resources for such a trivial task.

·         It can be utilized as a self-service solution without the need to reach out to IT help desk.

·         Increase employee productivity within organization.

·         Eliminate costs associated with having dedicated IT help desk.

·         Solution works seamlessly with mobile devices as well.

Data Protection in SAP using UI Masking and Logging Solution

Today's world is data driven and it is extremely important to protect sensitive data such as personal information and critical business data. Enterprises today are exposed to IT security threats evolved over time and they need to comply with number of data privacy regulations.

Organizations need to define the right approach for threat detection and remediation for threats coming from both insiders and outsiders. SAP supported protective means such as Single Sign On (SSO) can be used to protect networks and systems from outside attacks. However, protection against insider data thefts is not covered by standard functionality and it requires one step beyond a basic system security and authorization setup.

This blog discusses SAP's solution for UI Data protection - UI Masking and UI Logging, which can be used to achieve data security in SAP landscape.

SAP systems contain massive amount of sensitive and business critical information. Internal users in the organization have access to such information.

In many cases, SAP users get excess access in SAP system due bad role design or incorrect role assignments. In addition, standard SAP authorization framework has some imitation and it cannot handle every data security or legal requirements concerning data privacy independently. Users with dishonest intention can exploit such loopholes to access sensitive and critical information, which can ultimately result into data leaks.

SAP provides two-step security approach to protect data from insiders -

UI Masking and UI Logging.

UI Masking is preventative control for handling data security. It is an active form of masking the display of sensitive data to conceal specific data unless required for the task. Masking solution can mask data within multiple UI technologies such as SAP GUI, WebDynpro ABAP, CRM Web Client UI UI5 /Fiori etc. making sure that sensitive fields are masked for unauthorized users. This solution masks field values of sensitive (configured) fields by default. Unmasking of these field values requires explicit access on top of existing user access. In case a customer is looking for conditional based masking, the same can also be achieved with the implementation of UI masking BADI. e.g. Masking should only be applied in case vendor account number is mapped to specific accounting group in SAP.

UI Logging is soft and detective approach in data security. This functionality allows an individual to document and analyze data requested and eventually accessed by the user. It provides a detailed and structured data access log required for analysis. It prevents illegitimate access to data, its theft by introducing complaint behavior. UI logging configuration options allow individuals to determine for which users, and data logging should be enabled. The logged data in SAP can be transferred to the external repository (SAP or non-SAP) for further analysis.

As of today, UI masking and UI logging solution is applicable for below SAP UI technologies. The solution can be enabled after installing add-on specific to respective SAP system. 

UI Technology


UI Masking


UI Logging


S/4HANA native



SAP GUI for Windows / HTML / Java






CRM Web Client UI



WebDynpro ABAP



BW Access (BEx Web/Analyser, BW-IP, BICS, MDX)

Can be offered as project


RFC/BAPI and Web Services

Can be offered as project



With the help of UI masking and UI logging solution on top of existing SAP authorization set up, organizations can achieve data security.

This will help organizations in

·        Avoiding damaging cases of data abuse and data loss.

·        Identifying and proving irregular data access.

·        Comply better with legal requirements concerning data privacy e.g. GDPR (General Data Protection Regulation)

·        Increase transparency of access to sensitive data.

·        Detect potentially problematic access to sensitive data rapidly and conduct a meaningful analysis in order to take the corrective actions.

June 12, 2020

The Next Normal for Everyone's Business

If you are like me and the team at Infosys, you are cautiously optimistic about moving your business forward amid uncertainty and changing customer expectations. However, you may not know where to turn or who to trust for advice in reshaping and reimagining your path forward.


We know today's changing business environment is forcing businesses of all sizes to create new ideas and reshape industries. And it is becoming more evident for businesses of all sizes that we must be focused, take chances, keep our heads up and keep moving forward while reimagining new realties and possibilities for our businesses. 


Infosys is excited to participate in SAPPHIRE NOW Reimagined, a virtual event from SAP. The free event is being held virtually on June 15-19, 2020, including 11 different channels that each will focus on different aspects of creating and reshaping your business through speaker keynotes, customer stories, product demos, roundtables, and much more. We are excited to learn and grow our knowledge to become nimbler and more resilient, create experiences that drive loyalty, and lay the groundwork for what's next for Infosys and our customers.


Infosys is a Gold-level sponsor of the virtual event and we have sponsored the Customer Experience channel. We will be presenting our client AGCO's Customer Experience transformation journey. AGCO, an American agricultural machinery manufacturer, operates through multiple core machinery brands. AGCO planned to implement its Digital Customer Experience Management (DCX) program, which is in line with its vision to offer better solutions to its employees, dealers and farmer customers by providing real-time insights as to better serve customers with digital tools. Infosys executed the program and provided AGCO a digital platform that enables both B2B and B2B2C business processes and functionalities to improve customer experience and digitize work processes.


We encourage you to also discover with us how to keep moving forward today with timely information so all businesses can thrive in the future. You can register here and listen to thought leaders, industry experts and customers as they share their story on how they are navigating their next.

Subscribe to this blog's feed

Follow us on

Blogger Profiles

Infosys on Twitter