GRC SPM 5.3: Auth. object GRCFF_0001 in the role /VIRSA/Z_VFAT_FIREFIGHTER

Hi experts,
According to latest version of "SAP GRC Access Control 5.3 Security Guide" available on SAP service marketplace:
https://websmp105.sap-ag.de/~sapdownload/011000358700000406492008E/AC53_Sec_Guide_en.pdf
I should assign the default role "/VIRSA/Z_VFAT_FIREFIGHTER" to FF users. (see page 18):
Base user authorizations required to logon as a firefighter. The firefighter role provides authorization for users who have a firefighter ID to run a firefighter transaction. Read SAP Note 1319031 for additional authorizations required after installation of AC5.3 SP07.
The authorization object GRCFF_0001 field ACTVT is * as per default, and as the Sec. Guide says, see page 22.
What is this authorization for?
The documentation of this field (PFCG-> press <F1> on object) states following:
"Authorization Object is used to restrict maintaining and uploading data various tables such as Configuration,Reason Codes, Controllers, Owners and Firefighters"
Iu2019ve removed completely this authorization for the role "/VIRSA/Z_VFAT_FIREFIGHTERu201D and users still can use their FF without problems.
The problem is in the case of a user having the following auth:
GRCFF_0001 ACTV *
S_TABU_DIS  ACTV 02  Table group: Z****
This combination allows FF users to change all the configuration tables in tx. /n/virsa/vfat.
What do you think? Is the security guide correct? Why we should give FF users this authorization?. As I said Iu2019ve removed this auth from the role and all works fine anyway.
Regards
Diego.

Hi sunny,
I've removed the authorization from the users. It means, no user has this authorization. I've checked it using SUIM. I've done a lot of test already.
If you've a look at the sec. guide, you'll understand what I'm saying. Note for example the role /VIRSA/Z_VFAT_ID_OWNER and compare it with /VIRSA/Z_VFAT_FIREFIGHTER.
As per the security guide a owner should have ONLY ACTV 02 and 03, while I should give FF users *. This makes no sense at all. ACTV * should be granted only to admins.
Agian, note what is this authorization for:
"Authorization Object is used to restrict maintaining and uploading data various tables such as Configuration,Reason Codes, Controllers, Owners and Firefighters"
Do u think is correct to give FF users ACTV *  taking into account this definition from PFCG???
Cheers,
Diego.

Similar Messages

  • Manually added auth objects and Derived roles

    If there are manually added auth objects in the parent role do they come across to the derived roles?
    Also if you manually added auth objects into a derived role will they be overwritten by the parent role if you auto derive from the parent role?

    yes, any auth objects will come across to derived roles when you click 'generate derived roles'  from your parent role. basically its copying your parent role authorizations to derived roles  except org. level data( if you had maintained them thru 'org. maintainence' button and not adding in individual objects).
    yes. manually added auth objects in your derived roles will be overwritten by the parent role authorizations when you click 'generate derived roles'  from your parent role.
    if you just derived the role menu and din't copy the authorizations(generate derived roles) then there will not be any interlink between the parent and derived roles for authorizations.
    http://help.sap.com/erp2005_ehp_02/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm

  • Help need in creation of auth object

    Hi all,
    can anyone assist me in creating an auth object to restrict users based on plant.
    I would appreciate i anyone of you could send me screen shots of the procedure.
    My email id is
    <b><removed by moderator></b>
    Thanks
    Venki

    Hi,
    Basically you can use derived role and restric users based on plant...
    Other than standard objects do you want to create auth objects.
    For more information on you can follow link. info on objects
    http://help.sap.com/saphelp_47x200/helpdata/en/ea/e9b0054c7211d189520000e829fbbd/frameset.htm
    Cheers
    Soma

  • BW Authorizations/Report. Auth Object/KF's vs. Calc. KF's

    We implemented a custom/reporting auth. object to protect key figures (1KYFNM) and it works well. The issue is that our user community never ceases to come up with new and even more creative requirements.
    Let me illustrate the latest requirement:
    I have locked-down access to certain key figures (let's call them 'KF A' and 'KF B') and therefore subsequently secure all combinations involving either one of the two meaning calc. KF D (KF A plus KF C) is locked down as well. I also need to mention that users are supposed to be able to create their own ad-hoc queries, which eliminates the option of limiting them to a query or set of queries that accomplish the following requirement.
    There are certain totals, which are calc. KF's that the users are allowed/required to see even though they are not supposed to see what makes up these numbers (they should see calc. KF K which is made up of KF A, KF B, and KF H, etc. but not KF A and KF B).
    Without the option of providing the users with rather static queries, I see another option as calculating 'KF K' (from the previous example) at the time of the load and just making it another key figure in the cube which then can be excluded from the auth. check previously mentioned based on the naming convention. The problem with that is that this will make reporting rather inflexible, increase load times as this calculation is rather complicated, and it will also create redundant information in an environment that is already experiencing substantial growth and volume.
    Does anyone see any other solution?
    Thanks,
    Joerg

    Jeorg,
    I'm afraid that there's no special authorization handling for calculated key figures. To my best knowledge, the approach to create another key figure at data load time via transfer rules or update rules would be the only one can work. While this approach may not be flexible, but the load time should not increase significantly if you just add two key figure values into a new one.
    If you find this is approach is unacceptable or it is a common requirement among BW community, you might consider submit such requirement through ASUG BI Group or via OSS development request.
    Thank you for your question and patience.
    Regards,
    Amelia Lo
    SAP NetWeaver RIG, US
    SAP Labs, LLC

  • How can I limit/control the addition of auth. objects to security roles?

    Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
    Edited by: Armando Salas on Nov 29, 2011 7:41 PM

    Hi Armando,
    Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
    I hope this helps you
    Regards
    Eduardo

  • Can we control Work center group links using auth object UIU_COMP

    Hello All,
    We are running into an issue while doing our PFCG role configuration.
    I need to know if we can control Work center group links in a business role through auth object UIU_COMP.
    We can control Workcenter's but not 'Work Center Group Links'.
    Here is what we did:
    - We have a business role Z_RA_DEFAULT.
    - The Nav Bar Profile SRV-PRO for this business role has some work center group links that are checked in menu and visible.
    - I'm trying to find the values in the auth object UIU_COMP to restrict Work center group links.
    - Even though the values Work center group links are in menu and visible,
    I want to remove these Work center group links from the screen using the auth object.
    - If we remove the check from in menu and visible in the business role the Work center group links disapper from the screen.
    Right now this is only way we are able to controle Work center group links.
    Question:
    - Can I use UIU_COMP to restrict Work center group links?
    - any another auth object that controle Work center group links?
    - any document/ website / info  available which tells us what can we restrict with auth object UIU_COMP?
    - or any other way of doing this... like code change, user exit, ....?
    Really appreciate your help.
    Thanks,
    Nasir

    I am not sure if I have understood the issue correctly, but still what stops you from actually creating a clone business role to your existing business role and deactivating the in menu visible work center group links. Use this new business role for users who need to be prevented from viewing the work center groups links in question.
    If you are going to use authorization objects to control the visibility wont it impact all users (still defeating your original purpose?)
    Again apologies in case I have got the question wrong.

  • Custom Auth. Object with Profile and role assignment not working

    Hi,
    I have created custom Authorization Object with field ACTVT with allowed values - 01,02, 03. Now test it with custom program using AUTHORITY-CHECK OBJECT 'Z_AUTHORIZ' it is working fine and returning sy-subrc 12. At this point i have not created any role using this Auth Object.
    Now I have created custom role ZPM_**** and assigned above Auth object to it with value ACTVT 03. Assigned this role to user.
    When I try to test the above custom program with any ACTVT value it is giving sy-subrc as 0. Used below custom code in program.
    AUTHORITY-CHECK OBJECT 'Z_AUTHORIZ'
                ID 'ACTVT'  FIELD '01'.
    Am I missing anything? The profiles are generated correctly. 
    Best Regards,
    Nilesh

    Below are the screen shots for PFCG:

  • Is there a listing of all Auth.Objects for SAP and the discription for them

    I would like to know if there is a listing of all the Auth.Objects  for SAP out there somewhere??
    Thank you,
    Robert

    > Auth.Objects  for SAP out there somewhere??
    You want all the customer objects as well in all SAP systems?
    (Or just those in your TOBJ?)
    PS: Please try the F1 key on fields to find their tables (or structures) and give the search a try as well...
    Cheers,
    Julius

  • S_PROJECTS auth object

    I am trying to create a role for IMG display access only
    I made ACTVT in all the Auth objects "03" or "display"
    but in S_PROJECTS auth object, in "activity" there is no "display" , how do I make ACTVT in S_PROJECTS object "display"
    Thanks
    Message was edited by:
            Jackofalltrades

    Hi,
    First of all all activities dont apply to all auth objects.(for example generate activity might not be applicable for all auth objects)
    So SAP proposed what activities might be relevant to a particular Auth Object.
    This information is in TACTZ Tables.
    So perhaps u can verfiy the table and u would find that the entries displayed in ur Activity for S_PROJECTS would be the same values as are in S_PROJECTS values in TACTZ table.
    HoweverYou can maintain 03 for this object too.
    Select the pencil button for the activity field.
    It will take u to a dialog box which contains activity fields.
    Now if u dont find the 03 field there. Then right click on the screen and select more values option.
    It would display all the activities.
    However if the 03 field is not mentioned as a proposed activity for that Object by SAP (u can see this info in TACTZ) then make sure that u actually need this object for doing any display activites.
    Hope this helps
    Manohar

  • Auth Objects in ABAP Programs

    Dear All,
    how could I find the auth object being validated in programs?
    Using SU24 I am able to find transactions checking auth object...but I am not quit sure sure if there are some other programs using/checking those auth objects.
    In general I want to check one specific auth object where is used/checked.
    I will appreciate your help.
    Regards
    FedeX

    Please use the standard report RSABAPSC to check the authority check statements used in the program for any TCode. Also you can look into ABAP codes in more details by using the program RSANAL00.
    Regards,
    Dipanjan

  • APO roles and auth objects

    Hello all,
    Can someone tell me the most common used Tcodes, roles and auth objects in SAP APO - DP and APO-SNP security
    thanks

    I was going to type them out but luckily for me found this link to the DP & SNP auth objects - the info there is as detailed as anything else I have seen
    http://help.sap.com/saphelp_scm50/helpdata/en/21/f6253b90e48743e10000000a11402f/content.htm
    There is a list of useful APO transactions here
    http://help.sap.com/bp_scmv241/documentation/SCM_AIO_BP_Function_List.xls
    I can't help with the standard roles as I build my own.

  • CC5.2: Auth objects database table for legacy systems

    Hi,
    Where are the auth objects for legacy systems stored?
    I mean, for SAP systems the auth objects ar stored in the tables SAPOBJ and SYSSAPOBJ.
    Can anybody help me?
    Thanks in advance

    correct formatting...I wish you could edit your posts instead of reposting!
    Just a performance tip--> since it looks as though you are looping through and performing the same statement many times, you should consider using a prepared statement:
    PreparedStatement ps = con.prepareStatement("insert into Table1 (Col1,COl2,Col3) " +
    "values ( ? , ? , ? )");
    for (int k=0; j<array1.length; k++) {
    if (array1[k] !=null)
    tt = array1[k].getArray2();
    for (int j=0; j<50; j++) {
    if (array2[k] !=null)
    ps.setString(1, tt[j].getString1);
    ps.setString(2, tt[j].getString2);
    ps.setString(3, tt[j].getString3);
    ps.executeUpdate();You will notice a significant performance gain if you are looping many times.
    Advanced--> huge performance gain if you use batch statement in this loop!
    PreparedStatement ps = con.prepareStatement("insert into Table1 (Col1,COl2,Col3) " +
    "values ( ? , ? , ? )");
    for (int k=0; j<array1.length; k++) {
    if (array1[k] !=null)
    tt = array1[k].getArray2();
    for (int j=0; j<50; j++) {
    if (array2[k] !=null)
    ps.setString(1, tt[j].getString1);
    ps.setString(2, tt[j].getString2);
    ps.setString(3, tt[j].getString3);
    ps.addBatch();
    //when completed all looping
    int[] insertCount = ps.executeBatch();Jamie

  • Deletion of auth objects Corresponding to tcodes

    Q1.
    If a transaction is deleted from the menu wthr the Corresponding authorization objects are deleted.
    Q2.Eg
    What if the tcode MM02 is deleted from the role which has MM01/MM02/MM60/MM03 transaction codes, In this case some of the auth objects of MM02 are same as the other tcode auth objects, then how does deletion of MM02 from role ensure that only the corresponding object--> values are removed.?
    Rakesh

    Q1.
    If a transaction is deleted from the menu wthr the Corresponding authorization objects are deleted.
    It depends..
    If the auth object's status is 'standard' and it is coming from only one t-code which is being removed, then it gets removed. If the status is 'changed', then it doesn't get removed.
    Q2.Eg
    What if the tcode MM02 is deleted from the role which has MM01/MM02/MM60/MM03 transaction codes, In this case some of the auth objects of MM02 are same as the other tcode auth objects, then how does deletion of MM02 from role ensure that only the corresponding object--> values are removed.?
    No, the auth object won't get removed as that is coming from su24 from other t-codes also.
    If different t-codes are bringing different field combination values, then the instance which is coming from MM02(if it is being deleted) will get removed, again assuming that the instance is standard and not changed.

  • Error "Inconsistancy in the auth object P_ORGIN"

    Hello Gurus,
    I have to add a tcode which involves auth object P_ORGIN. When I add the tcode and go to authorization tab then it gives the error as "Inconsistancy in the auth object P_Orgin"
    Please let me know how should I add the tcode now. Thank you !
    Regards,
    MA

    PLease provide tcode
    The reason why the profile generator cannot correctly insert the
    default values of these transactions is due to a data inconsistency in
    table USOBT_C (default values for customers). The table does not
    contain an entry for field BTRTL of authorization object P_Orgin.
    You can immediately correct the incomplete data in your customer table
    USOBT_C using the following steps:
    Step 1 Execute transaction SU24
    Step 2 Enter the transaction affected by this error ie XXXX
    Step 3 "Change check indicator" (F6) in the application toolbar.
    Step 4 With "Display field values" (F7) you check the default values of
    P_Orgin. Please document the values.
    Step 5 Go back to the previous screen and set the check indicator from
    "Check/maintain" to "Check" for P_Orgin.
    Step 6 Set the indicator for P_Orgin back to "Check/maintain".
    Step 7 Choose the function "Change field values" (F6) and insert the
    formerly documented values for AUTHC in object P_Orgin.
    Now you see also the field BTRTL being presented.
    Save the changes.
    Repeat steps 3-7 for each of the transactions affected.
    Hope you are clear with the steps.
    Thanks,
    Prasant
    Edited by: Prasant K Paichha on Mar 3, 2010 3:01 PM

  • Auth objects required for creating super,power,end user roles

    Hi ,
    I need to create 3 roles according to the below requirement. can you tell me what auth objects req inorder to fulfill customer requirement.
    1.     Super User: 
         Have the access to Create/Modify/Delete own queries
         Can create Variables, CKF, Structures, Formulas & RKF at the cube level (global)
    2.     Power User :
         Have the access to Create/Modify/Delete own queries
         Can create Structures, Formulas at the query level
    3.     End User
         Have the access to run and navigate reports at the local level
    Hope I will get reply soon
    Thanks

    Karunakar -
    Few things you have to keep in mind when you are giving access to the reports and queries.
    S_RS_COMP only will not do.
    have you assigned S_RS_COMP1 and S_RS_MPRO for info areas and multi/info providers.
    and one more auth object S_RS_ICUBE for info cubes. you have to assign what ever the info cubes that you need to give access to the users.
    Then only user will get full access.
    precisely in order you can say,
    S_RS_COMP
    S_RS_COMP1
    S_RS_ICUBE
    and S_RS_MPRO.
    These are main auth objects which are related to info cube, info area access and BEx access.
    Hope this would give you clear pic.

Maybe you are looking for

  • One effect for several clips

    is there a way to throw a color filter for example onto a group of several clips at once ? I know the general procedure,like when the whole group of clips are highlighted and you drop one in ,the whole group of clips light up brown but only one clip

  • How do you add the contact who sent out a group text?

    How do you add the contact who sent out a group text? Also, how do you reply to the sender without having to reply to everyone in the group text? Thanks

  • In ME21N error-Purchase order item still contains faulty account assignment

    Hi While creating the PO in ME21N the following error occurs. "Purchase order item 00010 still contains faulty account assignments"

  • Administrator Account

    I recently got my daughter's PowerPC. When she first got it she set it up with her name as the administrator, her home folder is in her name, etc. I have not changed it for some time but I finally decided that I might like to do it. My question is ho

  • I can't update my Ipod Touch 2nd Generation to IOS 5, why?

    I would really like to get IOS 5. But when I plug my scond gen. Ipod Touch into Itunes, it says that 4.3.1 is the latest update. Please Help, thanks in advance. P.S: my pc is a Toshiba Satilite, running Windows Vista Home Premium, and I have Itunes 1