Blocking Firefighter IDs login

Similar Messages

• Firefighter IDs Not Populating in GRC 10

  We're having an issue getting the firefighter IDs to populate in GRC 10.
  We have:
  1) Configured the integration scenario 'SUPMG' in GRC system (SPRO - Governance, Risk and Compliance - Common Component Settings - Integration Framework - Maintain Connection Settings)
  2) Added 'SAP' connection type, 'CL_GRAC_AD_SUPER_USER_RFC' class/interface under 'Scenario-Connection Type Link' for integration scenario 'SUPMG'
  2) Configured the 'Target Connectors' under the 'SUPMG' scenario
  3) Verified that the superuser firefighter role 'SAP_GRAC_SPM_FFID' is configured under parameter 4010 (SPRO - Governance, Risk and Compliance - Access Control - Maintain Configuration Settings)
  4) Verifed that the superuser firefighter role exists in the target system and that full authorizations have been added and generated for 'S_RFC' authorization object
  5) Created a firefighter ID in the target system, setting the user type = 'Service' and assigning the superuser firefighter role to the user ID
  6) Executed the 'GRAC_AUTH_SYNC', 'GRAC_REP_OBJ_SYNC', 'GRAC_ROLEREP_USER_SYNC' and 'GRAC_ROLEREP_ROLE_SYNC' for target system
  I've read that the 'SAP_GRAC_SPM_FFID' (or custom variation) role needs to exist in both the GRC and target system.  It currently exists in the target system but not in the GRC system.  Is this step necessary?
  Other than that, we can't figure out why the firefighter IDs would not be populating in GRC?!?
  Any insight would be appreciated.  Thanks!

  Hi Parag,
  Please check this blog post which gives you clear idea about all the details required for your EAM configuration.
  http://scn.sap.com/community/grc/blog/2014/01/16/de-centralized-eam-grc-100
  Regards,
  Madhu.

• Block email ids for outbound mails

  Hi
  We need to block certain set of email ids to whom our outbound mails should not go. Our agent's would be sending mails from IC-Web.
  I was looking around in SCOT but couldn't locate any configuration setting for that.
  Any idea how can we achive it.
  Thanks for your time in advance.
  Regards
  Vishal Mani

  Hi,
  another approach  may be useful,
  In  CRM , Business Partner Master -address data -communication --> email
  -->maintain internet mail addresses , there is tickmark for "do not use communication " against every email address.
  If you "Tick " it , email will  NOT be sent to that Email ID, for this BP
  Hope it helps,
  thanks & regards,
  PD

• Blocking of Direct Login to Satellite System

  Dear All,
  A person who has login authorisation in Solman also has login authorisation in Satellite systems. So a person can directly login to the satellite system, bypassing the Solman. whether is there any possibility to block the person directly loging in to satellite system.
  Thanks and Regards
  Saravanan

  Hi,
  When we create RFC destinations for remote system we have to provide the user credentials and saved it or making it a trusted rfc connection without providing any login credentials.
  Depending upon the RFC you create you get all the access in the satellite systems.
  ALso go thru this tutor
  https://websmp204.sap-ag.de/~sapidb/011000358700002912202006E.sim
  This shows how to create rfc and whether you want trusted or with user logon screen.in user logon it always asks for the credentials whereas in other case it get automatically filled up.
  Please reward points if it helps.
  Message was edited by:
          Prakhar Saxena

• Is there a way to mass update or replace the SPM Firefighter IDs table?

  We are upgrading from GRC 5.2 to 5.3.  In 5.3 FF/SPM has added an Owners field to the FF ID table (/virsa/zffusers), which is apparently a required field because I keep getting a "Invalid Firefighter ID Owner" error when I try to look at the table.
  Is there a way to mass update, or perhaps import/replace, this table?  I am having problems trying to update this table thru the FF table screen.  When I go to save my changes, it will return the above error because not all of the FFID records have an assignment in this new Owners field.  We have over 160 FFIDs, so I can't change all of the records at the same time.  I can only get about 20 per screen and it will return that error again when I try to page forward.
  Thanks.

  Hi Bob,
  that is perfectly possible - did it a few times already.
  Export the table from within Firefighter, download the owners table (sorry, need to look up the name tomorrow - but you can't miss it), then add the owners through an Excel vlookup. Then re-import the table in Firefighter, and you're ste.
  I'm at home right now - if you have difficulties getting this done shoot me a message tomorrow and I'll send you more details.
  Frank.

• Multiple Approvers for Firefighter Ids

  Hi All,
  we have a scenario at one of our client that for Firefighter there should be multiple Firefigthers.
  ex : FFID1
  Approvers = A and B
  Approver A is the Team Lead.
  Approver B is the Track Lead/ Manager.
  So when requester requests the FFID1 it should first go to the Approver A(Team Lead) and once he approves then it should go to the Approver B(Manager).
  How can we configure this in GRC 10. Please explain in detail and provide config steps if possible.
  Thanks in advance.
  Ansari.M

  Hi Kaushal,
  Thanks for the info.
  Well can you please let me know the step by step configuration for this scenario.
  Like once the Team Lead approve then the request should go to the second level of approval to the Manager.
  As you explained it was clear that it can be done, I am working on your steps. But can you also refer to any document or forward me the steps.
  Thanks
  Ansari.M

• Block Office 365 Login

  Does anyone know of a way (if possible) to block the Office 365 sign-in or account creation abilities from within the new Microsoft Office apps?

  Seeing as how that is a Microsoft product, you might have better luck of getting an answer of on  the Microsoft forum instead of here on the Apple forums.
  Allan

• Why the ACS block my Console Login?

  I have aaa to my SWs an ROuters, but wen my Server goes down I cant get access ont the console port.
  My config is attached and the debug aaa authorization.
  this are the debugs for each acces: Telnet tacacs user, consoler tacacs user and the try whit the local user.
  telnet access
  Oct 15 01:03:09: AAA: parse name=tty2 idb type=-1 tty=-1
  Oct 15 01:03:09: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
  Oct 15 01:03:09: AAA/MEMORY: create_user (0x2778E84) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='10.10.10.23' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
  Oct 15 01:03:10: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/37 (102), with tst1-s2 GigabitEthernet0/1 (1).
  Oct 15 01:03:11: AAA/MEMORY: free_user (0x28E1BFC) user='ACS-USER' ruser='NULL' port='tty2' rem_addr='10.10.10.23' authen_type=ASCII service=ENABLE priv=15
  Oct 15 01:03:13: AAA/MEMORY: free_user (0x2778E84) user='ACS-USER' ruser='NULL' port='tty2' rem_addr='10.10.10.23' authen_type=ASCII service=LOGIN priv=1
  COnsole access (Working whit the ACS user)
  Oct 15 01:08:57: AAA: parse name=tty0 idb type=-1 tty=-1
  Oct 15 01:08:57: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
  Oct 15 01:08:57: AAA/MEMORY: create_user (0x28AA8E4) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
  Oct 15 01:09:11: AAA/MEMORY: free_user (0x27C0DC4) user='ACS-USER' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15
  Oct 15 01:09:18: AAA/MEMORY: free_user (0x28AA8E4) user='ACS-USER' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1
  console access (Not working whit the local user)
  Oct 15 01:05:24: AAA: parse name=tty0 idb type=-1 tty=-1
  Oct 15 01:05:24: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
  Oct 15 01:05:24: AAA/MEMORY: create_user (0x27C1310) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
  Oct 15 01:05:36: AAA/MEMORY: free_user_quiet (0x27C1310) user='LOCAL_USER' ruser='NULL' port='tty0' rem_addr='async' authen_type=1 service=1 priv=1
  Oct 15 01:05:36: AAA: parse name=tty0 idb type=-1 tty=-1
  Oct 15 01:05:36: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
  Oct 15 01:05:36: AAA/MEMORY: create_user (0x28D201C) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
  Oct 15 01:06:09: AAA/MEMORY: free_user_quiet (0x28D201C) user='NULL' ruser='NULL' port='tty0' rem_addr='async' authen_type=1 service=1 priv=1
  Oct 15 01:06:09: AAA: parse name=tty0 idb type=-1 tty=-1
  Oct 15 01:06:09: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
  Oct 15 01:06:09: AAA/MEMORY: create_user (0x2773004) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
  Oct 15 01:06:41: AAA/MEMORY: free_user (0x2773004) user='NULL' ruser='NULL' port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1
  Thanks for your help.

  Change your commands from,
  aaa authentication login default group tacacs+ enable
  aaa authentication enable default group tacacs+
  To,
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  Regards,
  Prem
  Please if it helps!

• Blocked I-cloud login

  Cannot login to my i cloud account.
  cannot reset the password.
  cannot verify id
  does not recognise my DOB

  Did you try the troubleshooting mentioned here?
  Apple ID - Apple Support

• Block Sql Plus Login

  Hi,
  I have database 8.05. For client server application on the client side we mention
  D:\ORACLE\BIN\F50RUN32.EXE c:\test\test.fmx test/test@test
  Now anyone can logon to sql plus and if he knows sql plus as the username and password is there. I dont want to remove sql plus from each machine and at the same time i dont want to user to logon to sql prompt.
  Operation system is windows NT.
  Rgds

  What you need to do is , give only CONNECT permissions to user TEST. So even if the user logs in SQLPLUS he wont be able to access any OBJECTS.
  ALSO you need to create another Oracle user , which will have all the necessary permissions.
  In your client application (FORMS), you need to connect using this new user after you have initially logged in using TEST user
  Hope this helps
  Ashwin N.

• Firefox V.39 Security vulnerability blocking access to login FYI

  Just an FYI and a page redirection. I have not logged in to the forum in a while. I am using most current version of Firefox (V.39). The error basically states to let the web admin know that the vulnerability exists on the web site. The fix was to do: about:config toggle these two settings from True to False 1 - security.ssl3.dhe_rsa_aes_256_sha;false 2 - security.ssl3.dhe_rsa_aes_128_sha;false Which I did and it worked for me. I will most likely toggle the two back to true as it was a default setting.

  Here is the official explanation relating to the issue. The POODLE Attack and the End of SSL 3.0 - Published October 14, 2014
     Summary SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information. We have a plan to turn off SSLv3 in Firefox. This plan was developed with other browser vendors after a team at Google discovered a critical flaw in SSLv3, which can allow an attacker to extract secret information from inside of an encrypted transaction. SSLv3 is an old version of the security system that underlies secure Web transactions and is known as the “Secure Sockets Layer” (SSL) or “Transport Layer Security” (TLS). Issue In late September, a team at Google discovered a serious vulnerability in SSL 3.0 that can be exploited to steal certain confidential information, such as cookies. This vulnerability, known as “POODLE”, is similar to the BEAST attack. By exploiting this vulnerability, an attacker can gain access to things like passwords and cookies, enabling him to access a user’s private account data on a website. Any website that supports SSLv3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. In particular, these servers are subject to a downgrade attack, in which the attacker tricks the browser into connecting with SSLv3. This relies on a behavior of browsers called insecure fallback, where browsers attempt to negotiate lower versions of TLS or SSL when connections fail.Today, Firefox uses SSLv3 for only about 0.3% of HTTPS connections. That’s a small percentage, but due to the size of the Web, it still amounts to millions of transactions per day. Impact The POODLE attack can be used against any browser or website that supports SSLv3. This affects all current browsers and most websites. As noted above, only 0.3% of transactions actually use SSLv3. Though almost all websites allow connections with SSLv3 to support old browsers, it is rarely used, since there are very few browsers that don’t support newer versions of TLS. Sites that require SSLv3 will remain vulnerable until they upgrade to a more recent version of TLS. According to measurements conducted by Mozilla and the University of Michigan, approximately 0.42% of the Alexa top million domains have some reliance on SSLv3 (usually due to a subdomain requiring SSLv3). Status SSLv3 will be disabled by default in Firefox 34, which will be released on Nov 25. The code to disable it is landing today in Nightly, and will be promoted to Aurora and Beta in the next few weeks. This timing is intended to allow website operators some time to upgrade any servers that still rely on SSLv3. As an additional precaution, Firefox 35 will support a generic TLS downgrade protection mechanism known as SCSV. If this is supported by the server, it prevents attacks that rely on insecure fallback. Additional Precautions For Firefox users, the simplest way to stay safe is to ensure that Firefox is configured to automatically update. Look under Preferences / Advanced / Update and make sure that “Automatically install updates” is checked. For users who don’t want to wait till November 25th (when SSLv3 is disabled by default in Firefox 34), we have created the SSL Version Control Firefox extension to disable SSLv3 immediately.Website operators should evaluate their traffic now and disable SSLv3 as soon as compatibility with legacy clients is no longer required. (The only remaining browser that does not support TLSv1.0 is Internet Explorer 6). We recommend following the intermediate configuration level from Mozilla’s Server Site TLS guidelines. We realize that many sites still receive traffic from IE6 and cannot disable SSLv3 entirely. Those sites may have to maintain SSLv3 compatibility, and should actively encourage their users to migrate to a more secure browser as soon as possible. 

• Not able to search for FF IDs on clicking Super user access tab in request

  Hi experts
  in GRC AC 5.3 CUP , Im trying to create new request with Superuser Access request type . On selecting the request type , I get the superuser access tab enabled in the request , Now when I click on that , I am not able to search any Firefighter Ids which are present in the backend SAP system .
  However when I try the same in anohter CUP box in the landscape , it worked .I could see all the FF Ids in that system
  What configuration do I miss in the first box which is not allowing me to view the Ids on search .
  Thanks

  Yes , I had chosen a wrong connector . you are right .
  if the connector is working fine , all the Firefighter Ids are fetched properly.
  Thanks

• Role Based FireFighter with GRC 10.0 (CEA)

  Does anyone know how the Role Based functionality of FireFighter exactly works besides putting the application type parameter to Role Based in SPRO?
  The manuals explain that the FF users log in to the remote system with their own users, but how are the FF roles or roles that are enabled for Firefighting assigned to these users and how will the log file know which activity to record?

  Good question, and the answer is not pretty.
  In Role-Based Firefighter Application, the firefighter ID on the target system contains the user's regular access plus his/her firefighter access.
  Reporting turns on when the user runs a transaction in the firefighter role.
  If the transaction is in both the user's regular access and the firefighter role, reporting will turn on because the firefighter role access is in use.
  The reports only track firefighter role usage.  So if a user runs a firefighter transaction but also uses access defined in the user's regular access, the only thing recorded is the transaction.
  If your company is not completely married to the idea of using Role-Based Firefighter Application, I suggest you consider the ID-Based Firefighter Application.  In this, there are separate firefighter IDs on the target system and a firefighter gains access to them by going into GRC and completing a form showing how the firefighter ID will be used, and then the GRC system will let the firefighter into the target system using that firefighter ID.

• Role Based FireFighter

  Greetings All,
  We are doing SAP GRC Access Control implementation in our company. We have Modulewise Master Roles working as firefighter Roles. In emergency we assign it to a user for 24 hours. Now when we are implementing FireFighter we want to keep existing Role Model but use the funcationality of FF. Have anyone gone through this scenario, do let me know the steps we need to configure the existing model with new FF Model and AE.
  Thanks in advance,
  Regards,
  Sabita Das

  Try Firefighter roles instead of Firefighter users.
  FF access via role assignments can be approved and provisioned in Access Enforcer (AE). Firefighter access can also be removed via Access Enforcer by submitting a request to remove the firefighter roles. FF access approvals are captured in the AE audit trail. The business reason for requesting/approving the access can also be captured in the comment section of AE.
  FF access could be granted only after appropriate approvals EVERY time a user needs FF access. Each time a request for the FF role through AE (the request could go through a separate workflow path) and the request will be approved before being provisioned to the user. The approver can change the validity dates on the role assignment so that it can be provisioned for one day, for a week, a month, etc... An audit trail in AE will provide the approver information for historical purposes. This meets the policy of approvals every time FF access is provided instead of the 24/7 master data set-up in the original Firefighter process.
  When running an SOD risk analysis on the user, the report will show the SODs the user has including their Firefighter access. (These SODs would then be mitigated per user even though they are a Firefighter.) There is a risk to the company when a firefighter can do one half of the risk on their own user ID and the second half of the risk on their Firefighter ID. Although this could still be caught, it would take some manual analysis. By using role-based Firefighter, all activities are performed and recorded under the user's normal user ID.
  The Firefighter does not need to "check-out" a Firefighter ID the access is on their normal user ID.
  The standard SAP audit trails have the user IDs instead of the firefighter IDs, so when researching the change, the firefighter logs don't need to be analyzed to see which user had used that Firefighter ID at that time.

• In FireFighter ID after loged in, can Reason and OR Activity screen be mand

  Hello All,
  for Tcode = /VIRSA/VFAT - Firefighter
      Please help, Some one with SAP FireFighter ids experience.
  Once a user loged in as a FireFighter in the Compliance Callibrator, screen pop up asking to enter Reason and Activity need to be performed before a User can take any action or can go any further.
  My question is that, is there any way under FireFighter configuration or so that, the Reason / Activity field can be mandatory?
  Because in our environment most of the users are not entering Reason or Activity they are performing
  please if you know the answer, let me know ASAP.
  Thanks in advance!!!
  Syd.

  Hi Syd,
  I've verified further and find that you can implement text field restrictions in /VIRSA/ZVFAT ABAP program. Check for the below lines:
  data : desc(128), desc1(128), comment(255).
  **Reason And Activity
  data : it_reason like /virsa/reason occurs 0 with header line,
         it_activity like /virsa/activity occurs 0 with header line,
         it_thead like thead,
         it_thead1 like thead,
         it_line like tline occurs 0 with header line,
         it_line1 like tline occurs 0 with header line.
  data : rcode like /virsa/zffrcd-rcode.
  data: t_path1 type string.
  Your ABAPer is the best person to implement this restriction
  Regards,
  Raghu