cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Testing SP07 with SPM

Go to solution
Former Member

on ‎04-21-2009 8:59 AM

0 Kudos

Hello GRC gurus,

yesterday i was testing the GRC 5.3 sp07 (current version 5.3_sp05) and with the SPM(firefighter) i had the following problem :

When a user is logging in, in the FF cockpit and chooses a FFID , after giving the reason and activity reasons , he gets a message "You are not authorized to change passwords in the user group FFUSER"

I did a trace on my user , because i could login with my account and it seems that a authorization check is being performed on S_USER_GRP object. It needs the group FFUSER (custom user group for FFIDs) and ACTVT 05 (lock).

It seems to me very irrelevant this check and i hope its not another bug in a new SP .

Greets ,

david

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member196034
Participant
‎04-21-2009 1:14 PM
0 Kudos

Read SAP Note: 0001319031

You need to add the object S_USER_GRP to the firefighter role with

Activity 5 (Lock).

Show replies
Show replies
Former Member
‎04-21-2009 1:22 PM
0 Kudos

Hi Hosseinian ,

thanx very much , i searched also the OSS notes but didnt find something relevant . Maybe i need to increase my searching skills there

Allthough its an unwanted solution for me , (everyone has the FF role because its integrated in the basic access role for all users ) , i have to implement it without giving everyone this authorization.

Best regards,

david

Former Member
‎04-23-2009 2:06 AM
0 Kudos

I don't understand the reasoning behind this. We have the same setup with everyone having access to the FF cockpit. Now we have to assign S_USER_GRP to them as well, making it a little harder to maintain overall security around users.

Does anyone know why this has been changed?

thanks

Henrik

Answers (3)

Answers (3)

s_pados
Explorer
‎05-18-2009 7:10 PM
0 Kudos

Actually SP7fix1 fixed a security gap in FF. It would have been better if SAP did not require this auth check. In the redesigned process when FF session is started the FF ID is unlocked and password is reset. Now no one needs to maintain the FF passwords anymore (even though this was not the security gap), as the security button in FF overview screen is not in use anymore.

Show replies
Show replies
Former Member
‎05-19-2009 2:01 AM
0 Kudos

New process? Where did you get documentation on the new process for SP7, fix 1?

koehntopp
Product and Topic Expert
Product and Topic Expert
‎05-20-2009 10:46 AM
0 Kudos

Actually this fixed a few security issues - I agree it should be documented better.

You now no longer need to know the password of the FF ID User, so noone can misuse it.

Also, you're no longer limited to service users and can use dialog users for FF IDs. This has been a requirement by some customers, as the "Services for Object" Menu Item will only be possible for Dialog users.

You should assign all FF IDs to a Firefighter user group and limit S_USER_GRP to that user group in the SPM roles.

Frank.

Former Member
‎05-21-2009 9:17 PM
0 Kudos

Hi All,

I think this security fix has been given to avoid the implementation of User Exit for FF IDs, which we used to do in older versions. User Exits does not allow the FF IDs to login from logon pad even though you know the password for FF IDs. In SP7 just to avoid User Exit implementation, when you login into any of the FF IDs it resets the password and then logon into new FF session. But this is also not fool proof, if you try login using any of the FF IDs from logon pad if you know the password, before somebody use the same FF ID from SMP to logon into FF session, then it will allow you to get inside. So, this way this securiy check also fails, this shows that User Exit is still every important if you want your FF IDs to be restricted from logon pad.

The only thing good about this change is that you need to maintain the passwords for FF IDs in security tab in SPM.

Thanks,

Tavi

Former Member
‎12-09-2012 3:31 PM
0 Kudos

Hi Frank,

You probably don't remember this, it's an old post for sure .

Frank Koehntopp wrote:
.......
Also, you're no longer limited to service users and can use dialog users for FF IDs. This has been a requirement by some customers, as the "Services for Object" Menu Item will only be possible for Dialog users.
 ......

Does it also apply for GRC 10?. I'm a little bit confused because the latest recommendation is to use Service users: 1702439 - Firefighters are not able to login

Thanks!

Diego.

Former Member
‎05-18-2009 5:57 PM
0 Kudos

I believe the VIRSANH support pack update fixed the issue allowing dual superuser logins. Adding those auth objects allows a user to unlock the account needed and locks it while they are using, preventing another user assigned to that superuser account from logging in.

Show replies
Show replies
hkaur
Advisor
Advisor
‎04-21-2009 11:40 AM
0 Kudos

David,

Please complete all the post installation steps for SPM as given in the Config guide. Also, make sure that you assign the default SPM role /VIRSA/Z_VFAT_FIREFIGHTER to the FFID and Firefighter.

See if this helps.

Harleen

SAP GRC RIG

Show replies
Show replies
Ask a Question