07-18-2011 5:11 AM
Dear all,
I'm trying to set up SMP and my version is SAP GRC AC 5.3 and Support Package: 16.
When I login with the user that I assigned to Firefighter ID, I try to run any trasaction and immediately appear an error: I don't have authorization for this transaction.
Thanks all for any suggestions!
Liliana!
07-18-2011 8:20 AM
Hi Liliana,
The Firefigher (who is executing the FF ID) should also have the common role assigned (which contains the common tcodes such as SU53, SU56). Ensure that the common role also contains authorization object S_USER_GRP with activity 05.
This should resolve the issue.
Regards,
Raghu
07-27-2011 2:48 PM
Hi Raghu,
Thanks for your suggestion!
Firefigher has assigned SAP_ALL and SAP_NEW. For this reason, Firefigher has all permission.
This is incorrect?
Please, any other suggestions?
Thanks,
Liliana!
07-27-2011 8:27 PM
Hi Liliana,
May I know the exact steps that you are following and the error message.
Firefigher has assigned SAP_ALL and SAP_NEW.
This is a wrong approach. You can't have SAP_ALL and SAP_NEW assigned to firefigthers. Giving this access may cause lot of issues and you might be unaware of the transactions that they are using until the log file is generated/sent.
Regards,
Raghu
07-28-2011 4:12 PM
Hi Liliana.
The Firefighter user is the normal userID that the user will log on to SAP via SAP GUI.. The authorizations assigned to this user are not the ones that are considered once you log on to the Firefighter/SPM.
You need to assign the actual FIREFIGHT ID the roles/authorizations required to do their FF activity/duties. These should be regular security roles and not SAP_ALL/SAP_NEW.
Hope that helps?
Ramelyn Paredes
SAP Active Global Support
08-01-2011 9:10 AM
The dialouge user which will use firefighter user should be given access to run firefighter dashboard (txn - /n/virsa/vfat). SAP_ALL to firefighter user? This is a real system?
Regards,
Arpan Paik
08-01-2011 5:04 PM
Hi,
Thanks for your suggestion!
I have assigned the FirefigherID to UserID through CUP. So, I start transaction u201C/VIRSA/VFATu201D to check this userID and the assignation is correct.
Then, I login with UserID, I click a u201CLog onu201D button and I enter the Reason code and action. But, when I click u201COKu201D button, it appear the window to enter again the USER and PASSWORD.
I know this window shouldnu2019t appear, but I donu2019t know what it happens.
Please, any other suggestions?
Thanks,
Liliana!
08-01-2011 6:33 PM
Hi Liliana,
When you go to /n/virsa/vfat, do you see all the tabs (buttons) Owner,Firefighter,Controllers,Security,Reason Code,Configuration,Critical Tcodes.
Make sure that you have configured all of these. Click the Configuration tab and ensure that all the below parameters are set:
Retrieve Change Log YES
Critical Transaction Table from Compliance Calibrator(VRAT) NO
Firefighter Owner Additional Authorization YES
Configuration Change Comment Mandatory YES
Firefighter Controller Additional Authorization YES
Send Log Report with Critical Transactions Only YES
Send Log Report Execution Notification Immediately YES
Send Log Report Execution Notification YES
Send Firefighter Login Notification Immediately YES
Assign FF Roles Instead of FF IDs NO
Send FirefightId Login Notification YES
Remote Function Call - The ABAP type RFC connection that was created.
Also, make sure that the FF ID that you have created is a service type user and not dialog user.
Hope this solves the issue.
Regards,
Raghu
08-16-2011 6:49 PM
Hi,
I am getting the same error as described above. After the Firefighter attempts to check out the ID and fills out the reason code details, a new session opens requiring the user to reauthenticate (username/password). After the 2nd authentication the SAP Easy Access button is displayed but the Firefighter ID session never opens. I check the firefighter dashboard and the ID still has a green status.
I have provided the correct S_USER_GRP 02, 05 Auths to roles assigned to the users and have provided the necessary Configuration settings in the Config table.
Does anyone have any idea why this would be happening?
Also I am getting the logon summary reports notifying me that an ID has been checked out even though it has not.
Edited by: suggsda on Aug 16, 2011 1:50 PM
08-16-2011 7:20 PM
Hi,
You may re-check if the Firefighter user exit is configured correctly. SAP Note 992200 - Firefighter User Exit provides you more information on the same.
Also, refer the below SAP note:
Note 1056560 - Firefighter Logon problem- New session not created
This should resolve the issue.
Regards,
Raghu
08-16-2011 7:49 PM
I have checked and implemented the SAP Note: 1056560 - "Firefighter Logon problem- New session not created" but issue is still there. I am going to try to get one of our ABAP developers to implement the User Exit soon, but I did not think that the user exit would prevent the session from opening properly.
I will wait for the exit to be implemented and let you know.
08-16-2011 9:02 PM
We have implemented user exit and still no fix. Will open a message with SAP.
08-17-2011 10:39 AM
Hi,
Yes. I don't see any other issues/recollect any other SAP Notes to resolve the issue. Don't forget to post the solution, once it is fixed
Best Regards,
Raghu
08-17-2011 8:36 PM
Thanks for the feedback Arjuna, these were all helpful but unfortunately none of these has addressed the issue that we were facing. I did however find another fix that worked via SAP Note 1528178
Liliana this may fix your issue as well if you are still encountering the reauthentication issue when checking out a firefighter ID.
Because we are using CUA, you must ensure that the GRC RTA - VIRSANH is installed on the CUA master as well as on the Child systems. We are in the process of installing the RTA now, but the other temporary fix is to update the password setting in SCUM (tcode) from 'Global' to 'Everywhere'. When set to Everywhere the CUA does not have to regenerate the password and the SAP Easy Access button will allow the new Firefighter session to be opened.
I hope this helps,
suggsda
08-18-2011 6:13 AM
08-17-2011 2:11 PM
Hi,
Please check the below points
1. Dailog id should have authorization-/n/virsa/vfat and s_user_group with * values .
2. Fire Fighter id should be "Service type "and generate the FFID "password "while creating the Fire fighter id and mapeed the Fire Fighter id with Controller and Owner.
3. Assign the Fire fighter Roles to Fire Fighter id.
4. Appply s-note 992200 for Firefighter Exit through SAPGUI.
Regards,
Arjuna.