Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Firefighter login issue - not authorized to change password

Former Member

‎08-03-2009 12:41 PM

0 Kudos

Hi Experts,

We were facing issue in login through Firefighter - error message was "You are not authorized to change passwords in user group XXXX" - - solved this by following SAP note 1319031. Same SAP note says that "It is also recommended that any users with this access should NOT have access to transaction SU01."

We have modified firefighter role and added the authorisation object "S_USER_GRP" - and this firefighter role is assigned to all firefighter including Basis firefighters who have access to SU01.

So is there any reason that this modified role should not be given to people who have access to SU01 and will there be any problem.

Thanks

Davinder

5 REPLIES 5

Former Member

‎08-06-2009 10:44 AM

0 Kudos

If you have decentralized user administration based on User Groups. You wouldnt want other than UAs to change the user Records. Hence the suggestion from SAP. Giving to basis shouldnt be a problem and ofcourse you will have logs from firefighter to see, if they have changes any user master record details.

Regards,

Ajesh Raju.

Former Member
In response to Former Member

‎08-10-2009 10:15 AM

0 Kudos

Hello Ajesh,

Do you mean giving access of this modified role to user who already have access of SU01 is not a problem?

Thanks

Davinder

Former Member

‎01-12-2010 11:57 AM

0 Kudos

Thanks to all for your kind help

koehntopp
Product and Topic Expert
Product and Topic Expert

‎01-12-2010 3:28 PM

0 Kudos

Davinder,

in earlier versions of Firefighter oyu had to maintain passwords for your FF IDs manually. The latest versions do that automatically, therefore the FF user needs authorization to change the password through S_USER_GRP.

If he also had access to SU01, he could change anyone's password.

The way to prevent that is

a) limit access to SU01 and similar (a good idea anyway)

b) assign all FF IDs to a special user group, and limit the FF users S_USER_GRP authorization to that user group.

Frank.

Former Member
In response to koehntopp

‎03-22-2010 6:03 PM

0 Kudos

After encountering this issue, our preliminary testing indicates that only activity "05 - Lock/Unlock" is required. My suspicion is that newly created FF users will require an initial password reset which is why the note calls for "02 - Change" access as well. If we manually reset the password for newly created users I'm hoping we can get away with just assigning "05" and avoiding "02."

Has anyone else gone this route? Any other reason for "02" to be assinged here?

Thanks