cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

FF transactions log report

Go to solution
Former Member

on ‎10-09-2009 7:40 AM

0 Kudos

If the SAP user has the direct authorization to execute any transaction, but the user login into FF id to run transaction(with only role Z:US_BC_FF_FIREFIGHTER), so the log will be created for Firefigthter id or not?

By this I mean to ask, is it necessary to assign roles to FF id rather than directly to SAP id. Because in both the cases user will be able to execute his transaction.

Thanks,

Sanjay

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-11-2009 7:56 PM
0 Kudos

Obviously starting the transaction is not the risk. It is the authority to use the transaction for something risky which the FF ID is needed for.

If the transaction is used by the normal SAP ID, then cannot change something for example. But the FF ID can.

The log does not tell you what the user actually did in the transaction. For this there are other logs and traces which you can dig further into if needed to provide more information.

If the SAP user and FF ID have the same access to use the transaction, then one might question the necessity of the FF ID to perform this "routine" task, or perhaps not.

Or your user role concept has a flaw in it, but you implemented FF anyway for whatever reasons. Could also be...

Cheers,

Julius

Show replies
Show replies
Former Member
‎10-12-2009 5:50 PM
0 Kudos

Hi Sanjay,

Julius is correct in his view of the authorisations.

The Firefighter ID can be provisioned whatever access you require them to have simply via SU01. There is nothing to stop you assigning the access directly to a standard user.

What SPM allows you to do though is to remove the access and hopefully therefore the risk from the standard user and move it into a more secure and controlled scenario - SPM.

Once you login with a Firefighter ID via the SPM Dashboard, the activities performed with that ID are all logged. If you specify the configuration parameter Retrieve Change Log as "yes", controllers will also receive the details of the changes made (as long as they are held in CDHDR / CDPOS).

In short, if you assign access to the Standard user, you will need to manually trace the access fia standard logging methods or traces however, with a Firefighter ID, logging is automatically triggered hence providing a detective control.

Cheers,

Simon

Answers (0)

Ask a Question