on 04-21-2009 8:59 AM
Hello GRC gurus,
yesterday i was testing the GRC 5.3 sp07 (current version 5.3_sp05) and with the SPM(firefighter) i had the following problem :
When a user is logging in, in the FF cockpit and chooses a FFID , after giving the reason and activity reasons , he gets a message "You are not authorized to change passwords in the user group FFUSER"
I did a trace on my user , because i could login with my account and it seems that a authorization check is being performed on S_USER_GRP object. It needs the group FFUSER (custom user group for FFIDs) and ACTVT 05 (lock).
It seems to me very irrelevant this check and i hope its not another bug in a new SP .
Greets ,
david
Read SAP Note: 0001319031
You need to add the object S_USER_GRP to the firefighter role with
Activity 5 (Lock).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Hosseinian ,
thanx very much , i searched also the OSS notes but didnt find something relevant . Maybe i need to increase my searching skills there
Allthough its an unwanted solution for me , (everyone has the FF role because its integrated in the basic access role for all users ) , i have to implement it without giving everyone this authorization.
Best regards,
david
Actually SP7fix1 fixed a security gap in FF. It would have been better if SAP did not require this auth check. In the redesigned process when FF session is started the FF ID is unlocked and password is reset. Now no one needs to maintain the FF passwords anymore (even though this was not the security gap), as the security button in FF overview screen is not in use anymore.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Actually this fixed a few security issues - I agree it should be documented better.
You now no longer need to know the password of the FF ID User, so noone can misuse it.
Also, you're no longer limited to service users and can use dialog users for FF IDs. This has been a requirement by some customers, as the "Services for Object" Menu Item will only be possible for Dialog users.
You should assign all FF IDs to a Firefighter user group and limit S_USER_GRP to that user group in the SPM roles.
Frank.
Hi All,
I think this security fix has been given to avoid the implementation of User Exit for FF IDs, which we used to do in older versions. User Exits does not allow the FF IDs to login from logon pad even though you know the password for FF IDs. In SP7 just to avoid User Exit implementation, when you login into any of the FF IDs it resets the password and then logon into new FF session. But this is also not fool proof, if you try login using any of the FF IDs from logon pad if you know the password, before somebody use the same FF ID from SMP to logon into FF session, then it will allow you to get inside. So, this way this securiy check also fails, this shows that User Exit is still every important if you want your FF IDs to be restricted from logon pad.
The only thing good about this change is that you need to maintain the passwords for FF IDs in security tab in SPM.
Thanks,
Tavi
Hi Frank,
You probably don't remember this, it's an old post for sure .
Frank Koehntopp wrote:
.......Also, you're no longer limited to service users and can use dialog users for FF IDs. This has been a requirement by some customers, as the "Services for Object" Menu Item will only be possible for Dialog users.
......
Does it also apply for GRC 10?. I'm a little bit confused because the latest recommendation is to use Service users: 1702439 - Firefighters are not able to login
Thanks!
Diego.
I believe the VIRSANH support pack update fixed the issue allowing dual superuser logins. Adding those auth objects allows a user to unlock the account needed and locks it while they are using, preventing another user assigned to that superuser account from logging in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
David,
Please complete all the post installation steps for SPM as given in the Config guide. Also, make sure that you assign the default SPM role /VIRSA/Z_VFAT_FIREFIGHTER to the FFID and Firefighter.
See if this helps.
Harleen
SAP GRC RIG
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.