Hi Colleen,

Thanks a lot for directing me to the correct notes for my issue.

My Firefighter IDs are service users.

We have Firefighter User exit implemented to avoid direct logon with firefighter IDs.

When i logon with FF ID and execute NWBC tcode, I am getting login screen for NWBC to enter login credentials.

Ideally it should not happen and should login using SSO. But SAP confirmed that with FF ID NWBC doesn't work if FF ID is of service type.

1588075 - SSO fails for service type users in FF session

Now i changed my FF IDs to Dialog type and tried to login with FF IDs.

When i click on logon button and enter reason code and other details and tried to login with FF ID, i am again getting the login screen to login to the system

Is this normal behavior where FF ID, if it is dialog type prompts to re-login again ?

We are confused on how to use Firefighter approach for our scenario.

1. FF ID service type doesn't work for NWBC

2. FF ID dialog type prompts for re-login to the system with FF UserID and Password.

SAP already confirmed that issue (1) is standard and FF IDs needs to be changed to either dialog or communication types to work for NWBC.

For issue (2) can u suggest if there is any work aorund?

Regards,

Sai.

Hi Sai,

You'll probably have to reset the FF Id password or something like that. I've added some tips and link to notes in the document Configure Emergency Access (EAM) in GRC 10 | SCN

Review section "Common Issue: Logon screen appears when starting FF session"

Hope it helps.

Diego

Hi Diego,

Thanks a lot for taking your time in guiding us with your expertise.

I have went through the document shared by you. I can see that in the blog it was mentioned Firefighter ID should be Service user type. If it is dialog user this login prompt will come was mentioned there.

1. I cannot make my FF ID as service user as NWBC doesn't work with FF ID if it is service user type and this was confirmed by SAP as per below note

1588075 - SSO fails for service type users in FF session

Only workaround available - To change FF ID to dialog user type

2. My Firefighter ID has been changed to dialog user type because of the above issue. But now FF ID prompts to login whenever i tries to login as firefighter. I have went through 2 SAP notes provided by you in your blog. We are on SP13, are they applicable for us? Are those notes applicable if FF ID is of dialog user type?

Kindly suggest if there is any workaround for my case.

Thanks in advance.

Regards,

Sai.

Hi Sai,

We've faced this problem after switching the users from Service to Dialog. I think our issue was that due to password policy, the password some of the dialog user haven't been changed for a long time and they weren't valid ( as per parameter login/password_max_idle_initial for example). So after changing the password it worked again. This is very ussual.

Regarding the notes, some of them are just informative and it don't depend on the SP level. Regarding the others, you can check the section "correction delivered in SP" in order to know if they apply.

Cheers,

Diego.

Hi Diego

In that situation have you considered using SECPOL - ERP6 EHP6 will allow you to create a security policy. You could investigate creating one for the FF Ids and assign to them to extend password expiration out

Regards

Colleen

Nice Option Collen!

I have not considered cause it usually happens after creation and just one time. But good to know that!

Cheers,

Diego.

Hi Diego,

We have implemented the SAP notes which are applicable for us and still am getting the login screen.

From your reply, you confirmed that though you have changed FF ID as dialog user type, everything is working in normal way without any issues.

In my scenario, my FF ID has been defined as dialog user with initial password. When i login as Firefighter it logs in with out any login screens and when i run NWBC it is asking to change the password as first time login to NWBC and here i am getting password change screen.

When i change the password from initial to some other value and when i access FF ID, initially itself i am getting login prompt.

I am not able to find any workarounds for this.

Can u suggest if i am missing anything.

Regards,

Sai.

Hello Sai,

Yes, It should work with Dialog Users. Actually when we decided to switch from Service to Dialog we asked SAP if it was supported and we get the response:

"Yes you can use FFID as Dialog in GRC10.
Also please review the SAP Note 1586989 for more information. This Note also applied to GRC10."

We configured on SP10 using Dialog users and the only problem we faced was with password policies, but this can be solved as described by Collen.

Cheers,

Diego.

Hi Diego,

Thanks for the details. I am still facing the same issue where login screen prompts whenever i login with dialog firefighter ID. We dont have any password policies also in sandbox systems.

I will write to SAP on this and will update you with their response.

I have one more query Diego.

1. FF User logs into FF session using a Firefighter ID.

2. From the firefighter session, user executes NWBC Tcode and it will opens up for him a webdynpro screen with different links.

3. Now user logs off from FF session, but NWBC session will be still active.

4. Assume that another user logged into same firefighter now and executed NWBC and performs some activities, then both sessions are active and logs gets mixed up.

For Webdynpro, i have checked the logs and logs show only technical names, webdynpro name and nothing else. So logs would be difficult to understand for a controller.

Have you come across such scenario? How to capture logs for NWBC in better way? Is there anything available or do we need to contact SAP for this?

Regards,

Sai.

Hello Sai,

Are you sure that EAM is supported for TM or a system using NWBC? Have you asked SAP?

Mainly firefighter is supported for ABAP based transactions. So, I don't know if it makes sense to collect such webdynpros.

also check

1736116 - Password change window pops up after Firefighter ID launches NWBC

Cheers

Diego.

Hi Diego,

We raised an OSS message to SAP to confirm about this. We came across lot of issues for EAM to TM system.

1. Login Issue

2. Logs capturing (Webdynpro logs are not capturing any changes)

3. BRF+ logs. In our project users login with FF ID and make changes to decision table entries in BRF+ applications and none of those being captured in FF logs or even in trace.

We mentioned all these in our OSS message. Will update you with their reply. But it looks like TM is not supported in many aspects of GRC

Regards,

Sai.

Hi Sai,

We have similar issue where we converted our Service Firefighter IDs to Dialog firefighter IDs and are working fine.

As mentioned by Former Member you need to remove the password aging policies and even after that when your FF ID is running NWBC and asking to change the password. Please change the parameter to 0 in RZ11 as mentioned in the below SAP note. This worked for us.

1736116 - Password change window pops up after Firefighter ID launches NWBC

Cheers,

Madhu.