cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC 10.1 - Firefighter Error - User cannot be assigned as firefighter

Go to solution
former_member316191
Explorer

on ‎03-21-2017 9:09 PM

Hi All,

We are working on a fresh implementation of GRC 10.1 support pack 15, during which we are facing an issue while assigning a firefighter ID to a firefighter User. The system doesn't allows us to assign the FF ID to the FF User and throws an error message 'User cannot be assigned as firefighter'

I have gone thru the complete setup and have ensured that the Firefighter users are not the owner/controller. I have looked into the below discussion and couldn't find an answered solution.

https://archive.sap.com/discussions/thread/3952527

Also our EAM setup is decentralized, I will not be able to assign the authorization GRFN_USER (ACTVT 16) to my FF users as my FF users exist in the target system only and not in the GRC system and the object GRFN_USER doesn't exist in the target system or in the SAP delivered EAM user role. Does this mean even for decentralized EAM setup the FF users should exist in GRC also?

I really appreciate your input on this.

Thanks

Narsimha R Katipally

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member279014
Explorer
‎06-20-2017 6:13 PM

I solved this one, at least for me. So just in case my situation matches yours, here's the data ...

I had this problem under GRC10.0 using EAM decentralized for over 4 years and noticed it after moving from SP13 to SP24 on the central system (back-end was already up-to-date). Something related to all this changed somewhere in those SPs.

I made a change to a Firefighter(FF)-user relationship. There were 2 users on the FF ID; one should come off and be replaced with a new one. But when attempting to save the change, GRC would not save because of the 2nd user (which was already there for years) and GRC gave an unhelpful, non-descriptive error message, "User cannot be assigned as firefighter." This was not the same message as when trying to assign a Controller of an FF ID as a User of that same FF ID. So, I was forced to take the other existing user off to make the change and troubleshoot from there.

The user with the error had the same role in the back-end system as the new one I just added, and as others I could still add.

The user was a Controller for some other FF IDs but definitely not for this FF ID.

Ultimately, here's the reason:

In a decentralized environment, Controllers still need an ID in the central system in order to login and approve/reject the workflow after the fact. In the central system, this user had a role to be an EAM Controller but not a role for EAM User; this had previously worked, but no longer. Other Controllers I had no problem with also already had EAM User access centrally. Users without any ID in the central system only needed, and still only need, an EAM User role on the back-end.

What apparently changed was, if a user involved in a Save exists in the central system, that is being checked first now and can fail without checking the back-end/target system for permission. This is not necessarily "wrong," but it is a change to what it was and now it requires us to check the central system roles for EAM Users if they have an ID there.

NOTE: This problem was especially difficult to search and obtain info on because it is so specific and lesser used: decentralized GRC, after a certain recent(?) Support Pack, only affects Controllers/central users without explicit EAM User access on their GRC central ID.

I don't know if that is the same scenario for Narsimha or anyone else here, but this worked for us and our user is happy again.

Show replies
Show replies

Answers (2)

Answers (2)

Former Member
‎05-15-2017 9:30 PM

Hi Narsimha,

The User(firefighter) needs to exists in GRC and with the following basic roles

1. SAP_GRC_FN_BUSINESS_USER

2. SAP_GRC_FN_BASE.

3. SAP_GRAC_SUPER_USER_MGMT_USER

Run the Auth Sync,SPM Sync and Repository sync for the plugin system,I think you might have already maintained the 4015 to YES

Thanks

Ramesh

Show replies
Show replies
former_member279014
Explorer
‎06-15-2017 12:44 AM

Key words, "EAM setup is decentralized." No, the User(firefighter) DOES NOT need to exists in GRC. I have plenty that don't.

I'm only here because I have one stubborn user that used to work and doesn't now. No answers for me here yet.

sreekanth_sunkara
Active Participant
‎03-27-2017 9:43 PM
0 Kudos

Hi,

We are on GRC10.1 SP10 and i am able to assign FF ID's to FF Users manually without creating FF users in GRC system. Did you maintain parameter 4010 in SPRO in the plugin system. Please maintain parameter 4010 and let us know.

Thanks,

Sri

Show replies
Show replies
former_member316191
Explorer
‎03-29-2017 3:38 AM
0 Kudos

Hi Sri,

Yes, as mentioned above I have made sure all the default config is in place and have also verified all the solution specified in the discussion threads above.

But that hasn't resolved my error.

Thanks

Former Member
‎05-15-2017 1:49 PM
0 Kudos

hello, were you eventually able to fix your issue? I am encountering similar issue with 10.1 SP16.

thanks!

Sophie

Ask a Question