cancel
Showing results for 
Search instead for 
Did you mean: 

Firefighter Configuration - FF Owner should not change the configuration

Former Member
0 Kudos

Hello Experts,

We have requirement to restrict Firefighter configuration changes only to Firefighter Administrators.

1. Restricting Firefighters to make any changes in Firefighter Configuration -- SAP Note 1101665 Superuser Security Role Modifies Tables - Successfully Achieved.

2. Restricting Firefighter ID Owners (having /VIRSA/Z_VFAT_ID_OWNER) to make any changes in Firefighter Configuration --> Need your inputs on how to achieve this.

We want that Firefighter ID Owners can only assign the FFID to Firefighters and assign a new controller only, but no following should be allowed to Firefighter Owners -->

a. Creating a new owner for a FFID.

b. Changing Firefighter configuration.

c. Creating or changing Reason Codes.

And which role should be assigned to Firefighter ID Controller?

Looking forward to hear from your experiences.

Thanks & Regards

Davinderpal Singh

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

D P,

You can not change any of the FF configuration if you are FF Owner or FF Controller. FF controller also gets assigned FF owner role in FF.

Regards,

Alpesh

Former Member
0 Kudos

Hi there,

I have maintained the authorisations for the different tables using restrictions on the S_TABU_DIS object. Each of the tables are assigned to authorisation groups starting with ZV*. If you amend the authorisations to restrict the users to the correct tables then you can provide them with only the required access.

It is important that they do not have other roles with powerful authorisations to S_TABU_DIS though as that may then override the settings that you make in your custom Firefighter roles.

Regarding the controllers in Firefighter, I have restricted them to display only for the tables and then granted access to run the logs and virsa toolbox transactions (except auto archive).

I hope this helps.

Simon

Former Member
0 Kudos

Thanks Alpesh and Simon for your valuable inputs.

My observations are, if you assign Firefighter Owner and Controller role only, then user is not able to make any configuration change, Reason Code change, etc, etc - behaviour is as expected.

And in our case, this problem is coming as FF owners/controllers have been assignbed few other roles/profiles which seems to override the authorisations of FF owner role and allow changes in FF configuration.

Now searching through each of these roles/profiles for extra set of authorisation objects is a huge security job.

And we don't have much experience in Security - so as per your experiences what should be the best way to restrict FF owners to not make any change in FF configurations, without removing existing roles/profiles ( as we don't know what all would be removed if we remove all of these roles).

Is it possible to specify a condition/check so that if a user has been assigned FF owner role, inspite of whatever extra permission he has - he should not be able to make configuration changes - please bear with me if i am expecting too much over here.

Which authorisation objects controls FF configurations changes?

Best Regards

Davinderpal Singh

Former Member
0 Kudos

The authorisation required to access the configuration table is

S_TABU_DIS -

ACTVT 02

DICBERCLS - ZV&Z.

You can use SUIM to find out which roles contain that authorisation and try to restrict them either through authorisational restrictions (so that they do not have that auth group) or segregating them from being assigned alongside the Owners / Controllers role.

Since this uses standard SAP table access authorisations I don't think there is a standard solution to restrict access other than to ensure that the table's authorisation group is segregated.

You could go down the route of generating a custom auth objects and amending the programs but that seems like over-engineering to me.

Simon

Answers (0)