Hi Sabita,

Thanks for the reply but this do not answer my question. Let me come in detail on this topic:

SAP Backend:

We have FF ID Owner, FF ID Controller, FF ID and Firefighters in the Backend.

FF ID owner has the minimun role required for becoimng the owner is /VIRSA/Z_VFAT_ID_OWNER.

FF ID Controller created with the minimum role /VIRSA/Z_VFAT_ID_OWNER for the monitoring purpose of all the reports.

FF ID is defined with the defined task in the role being assigned to it.

Firefighter is created with the minimum role /VIRSA/Z_VFAT_FIREFIGHTER to get the access to FF ID for the limited period as defined by the FF ID Owner.

For example:

FF ID Owner: User ID is FFO

FF ID Controller: User ID is FFC

FF ID: User ID is FID

Firefighter: User ID is FFS

Now the Question is from

SAP Frontend Java stack

I can see that the users(other than FFS) who are not defined as firefighter in the backend can still go and put a request for the FF ID access and gets provisioned.

When you go and check in the backend with the firefighter Owner ID/FF Administrator ID you can see the requested user listed there with the limited time period in the firefighter list.

Now comes the real picture: when this user(other than FFS) tries to login using his user ID he will not get the FF ID Login link on the page which is ideally correct. This is because any user not defined as firefighter in the backend with the minimum role /VIRSA/Z_VFAT_FIREFIGHTER should not get the access to FF ID.

My question comes here:

Is there any option in the frontend which could inform the user (other than FFS) much in advance and stop him requesting for the FF ID which has no meaning since it is finally not going to get the access in the backend to the FF ID.

Please get back to me if you require some more information.

Thanks,

Abhimanu Singh

Hi Abhimanu,

As per documentation, your scenario is correct. A FFID is created only to provide you FFID login screen and to capture logs. Any user can get FFID assigned and then can perform FireFighting according to his user authorization.

We are still in process to test this configuration so I cant say authentically what went wrong, but the configuration seems fine.

FireFighter role is only to provide you login screen and to get access of FireFighting tool tcode - /VIRSA/VFAT and some authorizations in it. It will not give you any firefighting autiorization, so a firefighter ID needs to get Master or Super role apart from VIRSA FF role.

We have gone through VIRSA standard roles and they are not sufficient to perform the actions they claim they would do.So we have created Z Roles for VIRSA also and have given authorization according to AC53_SecurityGuide.pdf.

I will update you when testing is performed here. Please post if you find any solution.

Thanks,

Sabita

Hi Sabita,

Thanks for your response, but my question is still not resolved.

To clariy my Question more:

Is there any option in CUP to inform the user (user without the role /VIRSA/Z_VFAT_FIREFIGHTER assined to it in backend which is required to see the FF ID Login screen) requesting for FF ID in backend much in advance that he is not authorized to put a request for FF ID access. This is since even if he gets the request approved and date is defined for him to access after the approval, he will not be able to see the Screen for FF ID Login as he does not have the role /VIRSA/Z_VFAT_FIREFIGHTER assigned to him/her to see the FF ID Login screeen which I think is required to see the F ID Login page for a common user.

You have mentioned that:

Any user can get FFID assigned and then can perform FireFighting according to his user authorization.

My concern is why should any user get the FF ID assigned if he lacks the minimum authorization which is given through the role /VIRSA/Z_VFAT_FIREFIGHTER for using the FF ID Login page. I am sure this role is a pre-requisite for any user to get th FF ID Login Page, and without this role assigned to user the user should not be allowed to request for the FF ID Login and information should be passed to the user inthe form of exception handling message.

Thanks,

Abhimanu Singh

Dear Abhimanu,

We are still in process to configure CUP so we ourself have to check it first whether it is working or not.

Regarding your second query -

"My concern is why should any user get the FF ID assigned if he lacks the minimum authorization which is given through the role /VIRSA/Z_VFAT_FIREFIGHTER for using the FF ID Login page. I am sure this role is a pre-requisite for any user to get th FF ID Login Page."

When someone gets FFID, the user autamatically gets the Role /VIRSA/Z_VFAT_FIREFIGHTER. We dont have to assign it to any user other then FFID.

But may I am wrong, once our whole scenario is configured then only I can tell you for sure.

Please update me also if you get some solution.

Regards,

Sabita

Hi Sabita,

I have checked the functionality from CUP to SPM and as you have mentioned:

When someone gets FFID, the user autamatically gets the Role /VIRSA/Z_VFAT_FIREFIGHTER. We dont have to assign it to any user other then FFID.

This is not working currently as per your statement and no role is added to the user automatically.

Thanks for considering me as a part of this move to identify and rectify the product. I will try updating you on any recent findings.

Thanks,

Abhimanu Singh