06-10-2007 11:53 PM
The FF users are created as a SERVICE user. This means that these users cannot log onto the SAP system. Now my question is:
1. How does the FF get on to the SAP system ?Does he piggy back ??
Thanks!
06-11-2007 8:13 AM
Hi Pratap,
I dont remember the exact tcode, but there is aTcode that the Fire fighter would key in and hey would be directed to a new screen which has a Login screen. SO once he clicks login-- enters into the system with the authorizations as a firefighter and with FF ID. He no longer is using his own ID.
Will check out and let you know exactly how a FF liogs in the system...
Br
Sri
Award points for helpful answers
06-11-2007 7:06 AM
Hello Pratap,
Service users can logon on the system. Only system and communication users cannot login.
Check this out:
http://help.sap.com/saphelp_nw04/helpdata/en/52/67119e439b11d1896f0000e8322d00/content.htm
Regards.
Ruchit
06-11-2007 7:37 AM
Ruchit,
Thanks for your following up this query.
The link you have pasted in response I did visit. I have pasted below the relevent part :
System (B)
User type for background processing and communication within a system (internal RFC calls).
○ A dialog logon is not possible.
○ The password change requirement does not apply to the passwords, that is, they cannot be initial or expired. Only a user administrator can change the password
○ Multiple logons are permissible.
When you logon ie if the SAP system accepts your user id & Password you are in all probablity a dialogue user.
The Service user is not peremitted to logon to the system. best way to check this is to create your own user (Su01). in the process there is a section where you can select the type of user , try using the service user.
Regards
06-11-2007 1:24 PM
Hello Pratap,
You have posted the details for system user not service user.
You can login into othe system using service user. The main difference between dialog user and service user is that for service user password never expires.
Service users are permitted to logon. Create one in Su01 and then try out yourself.
Regards.
Ruchit.
06-11-2007 8:13 AM
Hi Pratap,
I dont remember the exact tcode, but there is aTcode that the Fire fighter would key in and hey would be directed to a new screen which has a Login screen. SO once he clicks login-- enters into the system with the authorizations as a firefighter and with FF ID. He no longer is using his own ID.
Will check out and let you know exactly how a FF liogs in the system...
Br
Sri
Award points for helpful answers
06-11-2007 1:05 PM
You create the FF users as service users. At this point the user can logon via a dialog logon. ONCE you add the user to the FF users toolbox/table a user exit prevents this FF user from logging on via dialog
06-11-2007 3:21 PM
Thanks David, This is exactly my question one FF has been configured? How does he get on to the system as he is prevented by the user exit.
06-11-2007 5:40 PM
I am not familiar with this product, but technically they might have the user exit resetting the password or locking the user again if a dialog logon is made => So he is prevented from logging on again; but is already logged on.
Just an idea.
06-11-2007 7:47 PM
FFID - the service account with SAP_ALL
FF User - The user that uses the FFID when they need SAP_ALL access
FF Adminstrator - The ADMIN of the FF application
-
you create a FFID as a service account. You then logon as a FF administrator and add that FFID to the FF toolbox, and assign a dialog user as a user of the FFID you just created(FF User)
Then the FF user logs on as themselves (using the limited access account) and they run the FF transaction /N/VIRSA/VFAT. They will then see the FFID they are assigned to and will be able to click on that account the logon. Once they click on this account the FF tool logs them onto SAP.
06-11-2007 7:49 PM
I forgot to add
FF Owner - The owner of the FFID account
FF Controller - The person responsible for reviewing the logs that are created by FFID
06-11-2007 8:12 PM
David ---> Thanks a ton am just beginging to work out your suggestions.
All the same, are n't we Supposed to exclude SAP_ALL from our profiles?
06-11-2007 8:16 PM
Yes, I'd exclude SAP_ALL when possible. I only mentioned that profile so you'd understand that I was talking about an account with elevated access
06-11-2007 8:33 PM
great !! thanks ! I have awarded the points too !!!
David i am learnig this part of SAP --FF/Enforcrer/CC --ie virsa by myself so be ready to get more & More &More PO(ints!) STS on this -
Do you have any docs on this apart from those on SDN ?
thanks
06-11-2007 8:46 PM
I used the Firefighter 3.0 user guide and I thought that was pretty helpful. I also had to find many answers on the forums as well as from SAP directly
06-11-2007 10:00 PM
David,
Please mail me the doc to me <b><removed by moderator></b>
If you have ANY more on VIRSA please do mail it to me so that I can study that too
Regards,
06-14-2007 1:35 PM
Again, posting your email address here in the forums may result in more email than you'd like to get
I'd suggest visiting the Service Marketplace, which has all of those documents (and more):
Kind reagrds,
Frank.
06-14-2007 5:27 PM
And, hardcoding plaintext passwords for unnamed accounts may result in a wider user community than you'd like to get...
Cheers,
Julius
Okay, I see the encryption footnote now... (sorry)... but if the destination information is unmaitained, then how does it get the password into the RFC logon screen; or (temporarily) into the destination? It would need to be decryptable within the system?
Message was edited by:
Julius Bussche
06-14-2007 5:34 PM
There is an USER EXIT that prevents the Logon. This is from the various references that I made over the days !!
06-14-2007 5:42 PM
Hi Pratap,
I dont know this product, so perhaps I should rather shut up...
But if I do bump into one sometime, then I will remember to take a look at this.
Cheers,
Julius
06-14-2007 6:00 PM
Julius,
When We create this particular user, its created as a service user that means we donot give a Password.
In the RFC you referred to, The RFC when Created SHOULDNOT have any Users attached to it.
( i too thought that we need to give one as in SM59, but on studying the topic, We must not , i have not tried this aspect though..shall let you know !)