- SAP Community
- Products and Technology
- Additional Q&A
- CUP Process - Superuser Access --> Assignment of F...
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
CUP Process - Superuser Access --> Assignment of Firefigter Role
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 09-17-2010 2:23 PM
Hi Everyone,
we configured the superuser access process in CUP and the assignment of the user to a firefighter ID works...
However, the person can not use the firefighter since the required role "/VIRSA/Z_VFAT_FIREFIGHTER" is not assigned.
Is there any way how to automatically assign that Firefighter Role to the user? Obviously the process is quite useless otherwise
Thanks
Edited by: Gert_2010 on Sep 17, 2010 3:24 PM
Edited by: Gert_2010 on Sep 17, 2010 5:08 PM
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
This is exactly the same questions I asked SAP. Apparently, there is no straighforward autoamted way to do this. Hopefully, SAP can provide a configuration option where you can provide the FF role which needs to be added automatically to the FF request. You can add a default role to the FF request but to make it work you will have to add the Assign_Roles action to the FF request type.
Regards,
Alpesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Thanks Alpesh for your answer.
"You can add a default role to the FF request but to make it work you will have to add the Assign_Roles action to the FF request type."
How would you do this. As far as I can see, I can add default roles and assign them to specific systems, but not to specific request types. If I add the FF role as a default role, it would be added to each and every request (create/change user).
Thanks so much!!!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi there,
My approach is always to add the authorisations for Firefighter Users to be added to the generic end user role assigned to all users.
The controls over SPM useage mean that you can still control the assignment of privilege access via the approval from Owners rather than restricting the access to transaction /VIRSA/VFAT in the first place.
Simon
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Totally agree with Simon. That is what we ended up doing. Yes, you definitely can add a default role depending on the request type. Here are your options under default roles screen:
Consider Default Roles
Request Type
Default Role Level
User Attributes
Unless, you add the 'ASSIGN_ROLES' action to the Super User Access Request, you would not see the FF request type listed on the default roles screen.
Alpesh
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Thanks for your answer,
I understand that you can set for which request type you can set the default roles... but you can not do it on role level...
In our scenario:
Request Type: is set to All --> since we have a role ("General") that we want to assign to EACH user that is created in the system!
Therefore, I can not change the "Request Type" Setting to the Firefighter Process, since then the role "General" is not provisioned to all users anymore... If I just add the "Firefighter" Role, EVERYONE will get the Firefighter role as well...
(I am aware that this is not a big risk since the user ID must also be mapped to a Firefighter ID, however it is not really a nice solution)....
Regards
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
I think what you can do is you can define request type as your firefighter request type in Configuration-> Role-> default roles.
So all users who create a request of request type firefighter will get this role assigned.
Default Role level as request.
User attribute you can select as system and include all the systems with the default firefighter role.
Also include assign role action on the firefighter request.
Kind Regards,
Srinivasan
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
Thanks for your answer.
I still disagree.. You can set-up many default roles but you only have ONE setting for ALL your default roles...
It is the "Request Type" setting on the default role screen...
You can not have Role A assigned to Request Type "Create User" and Role B assigned to Request Type "Firefighter Access"...
Please correct me if I am wrong, but that's what the config looks like...
Thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi
Assigning the /VIRSA/Z_VFAT_FIREFIGHTER role to a user only takes a few moments to action, less time than taken to decide which type of FF ID to link them to (FI/CO/MM/SD etc) following the required approvals.
Assuming every user in the business will, one day, need to use FF can be done (and avoids users emailing back after finding they can't actually use FF) by doing a mass update in SU10. It's a security policy decision at the end of the day...
Answers (0)
- New Installation of SAP S/4HANA 2023 FPS1 – Part 2 – Installation in Enterprise Resource Planning Blogs by SAP
- Decode UserName in B1Upf in Enterprise Resource Planning Q&A
- SAP BTP Security: How to handle Authorization and Attributes [2] with XSUAA and IAS in Technology Blogs by SAP
- Highlights for Governance, Risk and Compliance (GRC) with SAP S/4HANA 2021 in Enterprise Resource Planning Blogs by SAP
- GRC Tuesdays: Securing Operations During Increased Disruption in Financial Management Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.