Solved from another forum thread (see above).

Solved from another SDN forum thread:

Re: Testing SP07 with SPM

Posted: May 18, 2009 8:10 PM in response to: David Damaskinos Reply

Actually SP7fix1 fixed a security gap in FF. It would have been better if SAP did not require this auth check. In the redesigned process when FF session is started the FF ID is unlocked and password is reset. Now no one needs to maintain the FF passwords anymore (even though this was not the security gap), as the security button in FF overview screen is not in use anymore.

Gary Morris

Posts: 31

Registered: 5/9/07

Forum Points: 0

Re: Testing SP07 with SPM

Posted: May 19, 2009 3:01 AM in response to: S. Pados Reply

New process? Where did you get documentation on the new process for SP7, fix 1?

Frank Koehntopp

Posts: 255

Registered: 1/4/05

Forum Points: 402

Re: Testing SP07 with SPM

Posted: May 20, 2009 11:46 AM in response to: Gary Morris Reply

Actually this fixed a few security issues - I agree it should be documented better.

You now no longer need to know the password of the FF ID User, so noone can misuse it.

Also, you're no longer limited to service users and can use dialog users for FF IDs. This has been a requirement by some customers, as the "Services for Object" Menu Item will only be possible for Dialog users.

You should assign all FF IDs to a Firefighter user group and limit S_USER_GRP to that user group in the SPM roles.

Frank.

More information on this issue: if you use the menu path you get the same result.

Code at message:

589 ***********Start of Changes implemented in SP7 ****#5********

590 * Due to a redesign of the logon mechanism, this option is no

591 * longer required.

592 * iview = '/VIRSA/ZVIRFFPWD'. "Commented SP7

593 * perform authorization_check. "Commented SP7

594 * commit work. "Commented SP7

595 message i710. "Added SP7

596 ***********End of Changes implemented in SP7 ****#5********