With the release of Service Pack 21, the Firefighter Logon Pad (transaction GRAC_EAM or /GRCPI/GRIA_EAM) slightly changed. Not just visually, but functionally as well. Among some restructuring, a new button is introduced labeled as Logoff. This button do what the label suggest; logoff and ends the Firefighter Session. But how it provide the possibility to use a Firefighter differently than we used to it and why a new button required if the logoff functionality was existed before?

To further examine this question first lets check how the logoff was actually determined earlier. Before SP 21, the Firefighter Session and the Firefighter ID User Session was more or less similar in timespan. When we clicked on the Logon button in the Firefighter Logon Pad, we initiated a Firefighter Session and also initiated a User Session in the backend; GUI session opened where the user was the Firefighter ID (this is the Firefighter ID User Session). After we finished what we would like to do we just simply logged out from the system or closed all the GUI windows. This process ended the Firefighter ID User Session and by refreshing the Firefighter Logon Pad or running the Firefighter Log Synch job then it also closed the Firefighter Session as well.

Firefighter Session vs. Firefighter ID User Session until SP 21

The main problem with this process that the Firefighter User has no control over the Firefighter Session. It ends when particular processes detects that there is no Firefighter ID User Session, and it is also ends when the User Session prematurely finish (like the idle session is force logged out due to the timeout). The determination of the actual logoff timestamp is also unreliable. If you ever checked GRACFFLOG table and wonder why is the logoff time of a Firefighter Session shows even a different day then the actual end of the (User) session happened, then you get your answer above.

The major change what SP 21 introduce is the separation of the Firefighter Session from the Firefighter ID User Session. This also led to the introduction of the Logoff functionality. The Logon and the Logoff button now controls the Firefighter Session itself. The Firefighter ID User Sessions are controlled by the same process as before. We can use the Logon button to initiate it and logout from the backend system or close the GUI windows. If there is an open Firefighter Session then we would be able to initiate as many Firefighter ID User Session as we want. All will belong to the same Firefighter Session until using the Logoff button we not ends the session. This change also allow some  extended security enhancements. From SP 21 the Firefighter ID will be locked when it has no open Firefighter Session.

Firefighter Session vs. Firefighter ID User Session after SP 21

There are many benefit of this changes. We can now mix ABAP and Web Based Firefighter sessions. We can simply logon to an ABAP based session, do the actions we would like to do, then ends the User Session without Logging off in the Logon Pad. Then we can initiate a Web Based Session using SAPGUI from HTML in the same Firefighter Session and finally logging off from the Session will ensure that these action will be in the same Firefighter Log Report Review. If we forget to do some actions which we already documented and we are still not logged off from the Firefighter Session we can easily logs in again to the backend system and just do what we forget earlier. And these are just the tip of the iceberg which simplify our lives as a Firefighter User.

GRC administrators can now have a better control over the Firefighter Sessions as well. To control sessions a new schedulable report is introduced. If we would like to implement Firefighter Session time out functionality, we can schedule report GRAC_SPM_MAINTENANCE. There are no restriction or suggestion to the frequency of the job. It depends on what 'lag' can we accept. If we schedule it for every 5 minutes then the actual logoff time will have a maximum of +5 minutes difference comparing to what we like. If we schedule this for execute in every minute then it is just a +1 minute. We can add a specific connector to this report, we can also provide a timeout value (in seconds) and we can set whether the same report should be run in the backend system (if decentralized Firefighting is activated - SPRO parameter 4015 set to YES). All of the fields are optional. If we do not provide any connector, then all sessions in all SUPMG connectors will be checked. If we do not provide any timeout parameter, then the report retrieves system parameter

rdisp/gui_auto_logout to determine the auto logout time. If nor configured value exists or the auto logout parameter can not be determined then 3600 seconds will be used as a default. The report will force log off all session which are idle longer than the timeout parameter. If we have enabled decentralized Firefighting, and selected the checkbox to run this report in the backend, then it will also do the same process in the backend system as well. If we would like to schedule the job separately for each and every backend system we should check and schedule report /GRCPI/GRIA_SPM_MAINTENANCE in the plugin system. Administrators also have the option to Force Logoff a session using GRAC_FFSESSION report. Using this report we can also restore more or less the same behavior as it was in prior to SP 21. If we set the timeout parameter to be a couple of seconds and schedule the maintenance report to run frequently then soon after the Firefighter ID User Session ends the Firefighter Session will be closed without the action of the Firefighter User.

To implement this feature SAP suggest to upgrade to at least SP 21 or later. If Decentralized Firefighting is used then GRCPINW is also need to be upgraded to SP 21 or later.

The correction released with Note 3318926 (GRCFND_A) and Note 3318927 (GRCPINW) for downport compatibility reasons. The functionality can also enabled with the implementation of these Notes.

SAP suggest to implement the following Notes if this functionality is already enabled:

For the main GRC system (GRFCND_A): 3325810, 3326827, 3327244, 3331180, 3345080, 3373799, 3390330, 3392984, 3399276, 3399562, 3403928, 3408121, 3423833.

For the plugin systems (GRCPINW):
V1200_750: 3329793, 3345080, 3358540, 3364469, 3364505, 3371499, 3373799, 3374840, 3390330, 3394118, 3397452, 3399562, 3405656, 3408121
V1100_731: 3329793, 3345080, 3358540, 3364469, 3364505, 3371499, 3372518, 3373538, 3373799, 3374840, 3375439, 3390330, 3394118, 3397452, 3399562, 3405656, 3408121.

(Note list last updated: 7th March 2024)