cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC 10 Fire Fighter ID type as Dialog user

Former Member

on ‎09-01-2014 10:05 AM

0 Kudos

Hi, We have issue in EAM when users are using Firefighter ID with some of the Z Tcodes. After they jump in to FF ID from their regular ID,if they execute some of  Z Tcodes, it is opening authentication page and asking for  ID and password for that Z Tcode execution. If we change FF ID user type from service to dialog, it is not asking for any authentication (its only for few Z Tcodes). We are in SP11.Please check and suggest if we can change all our FF IDs from service user type to dialog. If we change to Dialog, do we need to add any additional authorizations to users and advice if it is correct process to follow or not. Thanks & Regards, Koteswara Rao.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎09-01-2014 12:21 PM
0 Kudos

Hi Koti ,

Could you please check the rfc connection type Its trusted rfc or not , I am not sure but some times its might be the issue , Please check it once.

Show replies
Show replies
Former Member
‎09-01-2014 12:02 PM
0 Kudos

Hi ,

check the RFC connection once .

Show replies
Show replies
Former Member
‎09-01-2014 12:11 PM
0 Kudos

It is not a RFC connection issue. Connection is good and it is working fine. Issue is with different user types and looking suggestions on Firefighter ID user type can be changed to Dialog or not? Thanks & Regards, Koteswara Rao.

alessandr0
Active Contributor
‎09-01-2014 12:19 PM
0 Kudos

Hi Rao,

in AC 10.X the functionality is given to use with dialog users. Each time you log-in the system changes the password so that the end-user doesn't know the password.

From security point of view dialog users shouldn't be an issue.


Regards,

Alessandro

Former Member
‎09-01-2014 12:27 PM
0 Kudos

Hi Alessandro, If we use user type as dialog,do we need to add any extra authorizations in FF ID(Plug-in system)? Thanks & Regards, Koteswara Rao.

Former Member
‎09-01-2014 12:32 PM
0 Kudos

Hi Koti ,

If your are using Decnetralised ffid : http://scn.sap.com/community/grc/blog/2014/01/16/de-centralized-eam-grc-100 , go throught he link once .

alessandr0
Active Contributor
‎09-01-2014 12:35 PM
0 Kudos

nope - as mentioned each time the system logs in with the FF ID the password is going to be changed automatically. So from that point of view the password is always renewed.

You have only to make sure that the RFC user has the authorization to change the user password.

Regards,

Alessandro

Former Member
‎09-01-2014 2:36 PM
0 Kudos

Hi Alessandro, Thanks for your information. May I know why the service type FF user is prompting for ID and password to login after executing custom Tcode but it is not prompting for ID and password if FF User ID is dialog user. We are able to login to FF ID without any authentication error with service user and dialog user but after executing custom Tcode,it is prompting for ID and password to login(this is only for service type FF user). Due to that we are looking to change FF User type to Dialog. Please check and advice in this. Thanks & Regards, Koteswara Rao.

alessandr0
Active Contributor
‎09-01-2014 2:40 PM
0 Kudos

Rao,

let's call a security expert who might be able to help you. do you have an idea why it's prompting for user/password with service ids.

Thanks and regards,

Alessandro

Former Member
‎09-01-2014 3:16 PM
0 Kudos

Hi Koteswara,

Could you please confirm if the customized tode has any special characters in it..? Usually this combination takes place for audits to exclude some of such transaction codes.

With service user type, this is the limitation, but with Dialog or communication it can be executed.

Regards,

Ameet

leos
Active Participant
‎09-01-2014 3:36 PM
0 Kudos

G'Day Alessandro,

This is in response to your following comment:

in AC 10.X the functionality is given to use with dialog users. Each time you log-in the system changes the password so that the end-user doesn't know the password.

If that's the case what is the significance of enabling user exits? I mean there is no way the end user can login directly without knowing the password right?(come to think of it he/she will never know unless you give it to them). I would also appreciate if you can kindly explain how user exit works from firefighting point of view. I know it is to prevent users from logging in directly using SAP GUI. However for this to happen they need to know the password of the FFID right?

Regards,

Leo..

Colleen
Advisor
Advisor
‎09-02-2014 1:01 AM
0 Kudos

Hi Ale and Koteswara

Ameet mentioned below but my money is on the transaction definition for the Z code. I wonder if it is calling webdynpro or some system call requesting password prompt. It does not sound like this is specific to GRC FF as you would have successfully logged in to FF and launched the SAP Easy Access Menu. Once you are in the FF Id you are using it like a normal account

What is the screen shot/password prompt? If it's HTTPS switch or some other SSO it may be more RZ10 paramter settings that Basis need to do to allow launching of this content without prompt for password.

Because this is a Z transaction code it will really depend on the back-end program - if it's a Z program as well none of us can speculate without seeing the code. You never know, it might be hard-coded to check user type.

Regards

Colleen

Ask a Question