on 03-18-2014 9:50 AM
I am investigating how to execute ABAP Web Dynpros using a FireFighter user-id (we are still on GRC-AC 5.3). I have seen this question asked by others on SCN, but there doesn't seem to be an answer provided.
Our scenaro is a follows:
1. USER_A logs onto ECC Production.
2. USER_A logs into FireFigter using transaction /VIRSA/VFAT. The FireFighter account is FF_USER_A
3. FF_USER_A now executes an ABAP Web Dynpro from a PFCG role menu.
So, how do I get the ABAP Web Dynpro to run as FF_USER_A.
It seems to me it is not possible to run Web Dynpros under a FireFighter user-id, but this seems like a big product gap to me.
What am I missing?
Richard.
You can configure firefighter to be role-based rather than user-based. Here, rather than getting a new userid when you use firefighter, the relevant roles are temporarily added to your own user. Then you should be able to run dynpros as your own user and have firefighter access when necessary.
You'll find info about this in the installation guide, and there are plenty of discussions here on SCN about it - just search for "role based firefighter". As far as I know, most people use a user-based, not role-based, firefighter configuration.
Steve.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for the reply Steve.
I have only ever work with user-based FireFighter, but will now revisit role based FireFighter.
One aspect of User based FF which appeals to me is that SAP change logs are clearly marked with the FF userid (assuming a clear FF user-id naming convention is used).
A potential problem I may encounter with role based FF is that our ABAP systems are connected to SAP IdM. SAP IdM is the source of truth for role assignments. If something else is assigning roles to a user-id (i.e. FireFighter) then IdM may remove these changes. This may be unlikely, but archtecturally it doesn't seem ideal.
Thanks for the input.
I'd also be keen to hear the official SAP view if the GRC team is watching.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.