Hi,
As per SAP note 1319031, you have to assign below object to users who want to use FF:
Authorization Object : S_USER_GRP
Field value ACTVT : 02 (Change)
CLASS(User Group) : <FFID#s User Group>.
Authorization Object : S_USER_GRP
Field value ACTVT : 03 (Display)
CLASS(User Group) : <FFID#s User Group>.
Authorization Object : S_USER_GRP
Field value ACTVT : 05 (Lock)
CLASS(User Group) : <FFID#s User Group>.
If you have user group defined for FF then in CLASS you can add that group else you can give * here.
Thanks
Sunny
Hi Sunny,
Thanks for your reply.The autorizations you mentioned are additional for SP7 and above. But FF users also requiere other authorizarions. Have a look at the page 22 and 23 of the security guide.
Sunny said: "If you have user group defined for FF then in CLASS you can add that group else you can give * here"
I know that this is what the SAP note states, but I Think this is not correct. If the FF users are not assigned to a group you MUST use ' ' instead of *.
Regards,
Diego.
Edited by: Diego I. Yaryura on Nov 25, 2011 10:56 PM
Hi Diego,
I checked the security guide and there are 2 additional authorization that you need to add:
1) RFC authorization to use FF ID's.
S_FRC ACTVT
RFC_NAME
RFC_TYPE
16
SYST
FUGR
S_TCODE TCD /VIRSA/VFAT
GRCFF_0001 ACTVT *
2) S_USER_GRP.
You can assign these authorization to user and see if you get the desired result.
Thanks
Sunny
Sunny,
Thanks again for your reply. I´ve read carefully the guide and the corresponding note., but my question was...
What do you think? Is the security guide correct? Why we should give FF users this authorization?. As I said Iu2019ve removed this auth from the role and all works fine anyway.
Cheers,
Diego.
Hi,
Yes Security guide is correct.
It might be the case that you remove this authorization from the user's profile but he might have this assigned from some other Role's that users are using for their daily routine activity. Best way yo check this is create one test user in your development system that will have only this authorization.
Thanks
Sunny
Hi sunny,
I've removed the authorization from the users. It means, no user has this authorization. I've checked it using SUIM. I've done a lot of test already.
If you've a look at the sec. guide, you'll understand what I'm saying. Note for example the role /VIRSA/Z_VFAT_ID_OWNER and compare it with /VIRSA/Z_VFAT_FIREFIGHTER.
As per the security guide a owner should have ONLY ACTV 02 and 03, while I should give FF users *. This makes no sense at all. ACTV * should be granted only to admins.
Agian, note what is this authorization for:
"Authorization Object is used to restrict maintaining and uploading data various tables such as Configuration,Reason Codes, Controllers, Owners and Firefighters"
Do u think is correct to give FF users ACTV * taking into account this definition from PFCG???
Cheers,
Diego.
Hi,
I got your point. It does not make sense to give * in activity.
Thanks
Sunny
Hello,
New version of Security Guide is available. Auth. object GRCFF_0001 is not required in role /VIRSA/Z_VFAT_FIREFIGHTER.
Regards,
Diego.
