Solved: Able to admin FF ID not owned

Former Member · ‎10-15-2009

Hi Experts,

I'm working on a GRC implementation and came up this issue.

I have set the configuration parameter related to additional authorization for owners.

I have also set in FF IDs table and Owners table with the corresponding users.

I have also read two notes related with this issue and tried the things they said, but still cant solve it.

My GRC Version is 5.3

I have VIRFF SP8 installed.

The user I am trying with has the following roles assigned: Role: VFAT_FIREFIGHTER, Role: VFAT_ID_OWNER

If Authorization object GRCFF_0001 is set with ACTVT = 36 (Extended Maintainance) only, I just can have a view of FFs table, but can't assign.

If Authorization object GRCFF_0001 is set with ACTVT = 36 (Extended Maintainance) and 02, I am able to assign my FF IDs, but also can assign FF IDs I dont own.

Thanks very much for any help or suggestion you may make.

Enzo Delorso.

Former Member · ‎10-16-2009

Hi,

Have you checked the settings to good old S_TABU_DIS?

You may find that the table access is checked first and then the additional authorisations in the GRCFF_0001 object.

To be able to assign anything, you will need 02 in both the objects above.

The Parameter should then block unless you are the designated owner of the IDs which are being assigned.

It sounds like a technical issue to me if the authorisations are correct?

Former Member · ‎10-16-2009

Hi,

Have you checked the settings to good old S_TABU_DIS?

You may find that the table access is checked first and then the additional authorisations in the GRCFF_0001 object.

To be able to assign anything, you will need 02 in both the objects above.

The Parameter should then block unless you are the designated owner of the IDs which are being assigned.

It sounds like a technical issue to me if the authorisations are correct?

Former Member · ‎10-16-2009

Hi Simon,

First I want to say thanks for your assistance and concern.

Returning to my issue; I have checked object S_TABU_DIS values and, if I set ACTVT field with 02, the Owner will be able to assign his FF IDs but also other FF IDs not owned.

Object GRCFF_0001 has both 02 and 36 values.

And finally, Configuration Parameter "Firefighter Owner Additional Authorization" is set to YES.

I hope this helps you in the road to help me!!!

Former Member · ‎10-17-2009

> Object GRCFF_0001 has both 02 and 36 values.

"Extended maintenance" implies some other maintenance comes first...

Try with giving them only '02' -> "normal maintenance".

Cheers,

Julius

Former Member · ‎10-20-2009

Hi,

"Object GRCFF_0001 has both 02 and 36 values."

Please remove 36 value in OWNER's role. We have kept 02, 03 and 81 values and it works fine. Nothing to do with S_TABU_DIS, 02 & 03 values are fine.

Regards,

Sabita

Former Member · ‎10-20-2009

Hi Sabita,

I tried setting the auth object with the values you suggested but still does not work as it should.

Really dont know what else to try....

Former Member · ‎10-21-2009

Hi,

Please check SAP note - 1143955, it may be of help.

Regards,

Sabita

Former Member · ‎10-22-2009

Hi Sabita,

I checked every authorization suggested in note number 1143955 and all my default roles have their corresponding authorization...

Former Member · ‎10-26-2009

Enzo,

If the settings are as you have said, this may well be a technical bug. I would raise a customer message to SAP to get them to investigate it.

Regards, Simon

Former Member · ‎10-26-2009

Everybody,

Thank you very much for your assistance, we wll be rainsing the issue in order to be investigated by SAP experts.