Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC SPM 5.3: Auth. object GRCFF_0001 in the role /VIRSA/Z_VFAT_FIREFIGHTER

Former Member

‎11-25-2011 1:18 AM

0 Kudos

Hi experts,

According to latest version of "SAP GRC Access Control 5.3 Security Guide" available on SAP service marketplace:

https://websmp105.sap-ag.de/~sapdownload/011000358700000406492008E/AC53_Sec_Guide_en.pdf

I should assign the default role "/VIRSA/Z_VFAT_FIREFIGHTER" to FF users. (see page 18):

Base user authorizations required to logon as a firefighter. The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction. Read SAP Note 1319031 for additional authorizations required after installation of AC5.3 SP07.

The authorization object GRCFF_0001 field ACTVT is * as per default, and as the Sec. Guide says, see page 22.

What is this authorization for?

The documentation of this field (PFCG-> press <F1> on object) states following:

"Authorization Object is used to restrict maintaining and uploading data various tables such as Configuration,Reason Codes, Controllers, Owners and Firefighters"

Iu2019ve removed completely this authorization for the role "/VIRSA/Z_VFAT_FIREFIGHTERu201D and users still can use their FF without problems.

The problem is in the case of a user having the following auth:

GRCFF_0001 ACTV *

S_TABU_DIS ACTV 02 Table group: Z****

This combination allows FF users to change all the configuration tables in tx. /n/virsa/vfat.

What do you think? Is the security guide correct? Why we should give FF users this authorization?. As I said Iu2019ve removed this auth from the role and all works fine anyway.

Regards

Diego.

8 REPLIES 8

sunny_pahuja2
Active Contributor

‎11-25-2011 8:47 AM

0 Kudos

Hi,

As per SAP note 1319031, you have to assign below object to users who want to use FF:

Authorization Object : S_USER_GRP

Field value ACTVT : 02 (Change)

CLASS(User Group) : <FFID#s User Group>.

Authorization Object : S_USER_GRP

Field value ACTVT : 03 (Display)

CLASS(User Group) : <FFID#s User Group>.

Authorization Object : S_USER_GRP

Field value ACTVT : 05 (Lock)

CLASS(User Group) : <FFID#s User Group>.

If you have user group defined for FF then in CLASS you can add that group else you can give * here.

Thanks

Sunny

Former Member
In response to sunny_pahuja2

‎11-25-2011 1:20 PM

0 Kudos

Hi Sunny,

Thanks for your reply.The autorizations you mentioned are additional for SP7 and above. But FF users also requiere other authorizarions. Have a look at the page 22 and 23 of the security guide.

Sunny said: "If you have user group defined for FF then in CLASS you can add that group else you can give * here"

I know that this is what the SAP note states, but I Think this is not correct. If the FF users are not assigned to a group you MUST use ' ' instead of *.

Regards,

Diego.

Edited by: Diego I. Yaryura on Nov 25, 2011 10:56 PM

sunny_pahuja2
Active Contributor
In response to sunny_pahuja2

‎11-26-2011 5:30 AM

0 Kudos

Hi Diego,

I checked the security guide and there are 2 additional authorization that you need to add:

1) RFC authorization to use FF ID's.

S_FRC ACTVT

RFC_NAME

RFC_TYPE

16

SYST

FUGR

S_TCODE TCD /VIRSA/VFAT

GRCFF_0001 ACTVT *

2) S_USER_GRP.

You can assign these authorization to user and see if you get the desired result.

Thanks

Sunny

Former Member
In response to sunny_pahuja2

‎11-26-2011 3:20 PM

0 Kudos

Sunny,

Thanks again for your reply. I´ve read carefully the guide and the corresponding note., but my question was...

What do you think? Is the security guide correct? Why we should give FF users this authorization?. As I said Iu2019ve removed this auth from the role and all works fine anyway.

Cheers,

Diego.

sunny_pahuja2
Active Contributor
In response to sunny_pahuja2

‎11-28-2011 6:21 AM

0 Kudos

Hi,

Yes Security guide is correct.

It might be the case that you remove this authorization from the user's profile but he might have this assigned from some other Role's that users are using for their daily routine activity. Best way yo check this is create one test user in your development system that will have only this authorization.

Thanks

Sunny

Former Member
In response to sunny_pahuja2

‎11-28-2011 12:48 PM

0 Kudos

Hi sunny,

I've removed the authorization from the users. It means, no user has this authorization. I've checked it using SUIM. I've done a lot of test already.

If you've a look at the sec. guide, you'll understand what I'm saying. Note for example the role /VIRSA/Z_VFAT_ID_OWNER and compare it with /VIRSA/Z_VFAT_FIREFIGHTER.

As per the security guide a owner should have ONLY ACTV 02 and 03, while I should give FF users *. This makes no sense at all. ACTV * should be granted only to admins.

Agian, note what is this authorization for:

"Authorization Object is used to restrict maintaining and uploading data various tables such as Configuration,Reason Codes, Controllers, Owners and Firefighters"

Do u think is correct to give FF users ACTV * taking into account this definition from PFCG???

Cheers,

Diego.

sunny_pahuja2
Active Contributor
In response to sunny_pahuja2

‎11-28-2011 3:39 PM

0 Kudos

Hi,

I got your point. It does not make sense to give * in activity.

Thanks

Sunny

Former Member
In response to sunny_pahuja2

‎12-28-2011 9:00 PM

0 Kudos

Hello,

New version of Security Guide is available. Auth. object GRCFF_0001 is not required in role /VIRSA/Z_VFAT_FIREFIGHTER.

Regards,

Diego.