cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Executing ABAP Web Dynpros using a FireFighter User-id

Go to solution
Former Member

on ‎03-18-2014 9:50 AM

0 Kudos

I am investigating how to execute ABAP Web Dynpros using a FireFighter user-id (we are still on GRC-AC 5.3). I have seen this question asked by others on SCN, but there doesn't seem to be an answer provided.

Our scenaro is a follows:

1. USER_A logs onto ECC Production.

  • We authenticate using X.509 and the ECC system also issues USER_A a SAP Logon ticket for ECC Production.

2. USER_A logs into FireFigter using transaction /VIRSA/VFAT. The FireFighter account is FF_USER_A

3. FF_USER_A now executes an ABAP Web Dynpro from a PFCG role menu.

  • This launches a Web Browser window which starts the Web Dynpro.
  • However, there is already a SAPLogon ticket available for USER_A, so we are authenticated as USER_A, not FF_USER_A.
  • USER_A is not fully autorized to run the Web Dynpro. This is expected because we want the task to be performed as FF_USER_A.

So, how do I get the ABAP Web Dynpro to run as FF_USER_A.

It seems to me it is not possible to run Web Dynpros under a FireFighter user-id, but this seems like a big product gap to me.

What am I missing?

Richard.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-18-2014 10:10 AM
0 Kudos

You can configure firefighter to be role-based rather than user-based. Here, rather than getting a new userid when you use firefighter, the relevant roles are temporarily added to your own user. Then you should be able to run dynpros as your own user and have firefighter access when necessary.

You'll find info about this in the installation guide, and there are plenty of discussions here on SCN about it - just search for "role based firefighter". As far as I know, most people use a user-based, not role-based, firefighter configuration.

Steve.

Show replies
Show replies
Former Member
‎03-18-2014 10:28 AM
0 Kudos

Thanks for the reply Steve.

I have only ever work with user-based FireFighter, but will now revisit role based FireFighter.

One aspect of User based FF which appeals to me is that SAP change logs are clearly marked with the FF userid (assuming a clear FF user-id naming convention is used).

A potential problem I may encounter with role based FF is that our ABAP systems are connected to SAP IdM. SAP IdM is the source of truth for role assignments. If something else is assigning roles to a user-id (i.e. FireFighter) then IdM may remove these changes. This may be unlikely, but archtecturally it doesn't seem ideal.

Thanks for the input.

I'd also be keen to hear the official SAP view if the GRC team is watching.

Former Member
‎03-18-2014 10:32 AM
0 Kudos

I've never used a role-based setup either, but it does cause us similar issues with access routes that don't come through SAPgui. It isn't a huge deal for us, though, so we live with it. I too prefer the separation you get from user-based.

Steve.

Answers (0)

Ask a Question