Login Firefighter ID

Similar Messages

• GRC EAM - Single Firefighter Multiple User Login

  Hi Folks,
  Good Day...Please need your valuable suggestion on the below issue...
  We have configured GRC EAM 10.0 with a mapping of Single User Id to Single Firefighter but now we have got a scenario where Multiple Users require single Firefighter ID .
  Mapping is done for Multiple users with single Firefighter ID., we have logged in with first user and successfully working but same time when the other user logged in, it is not allowing to enter into same firefighter (Popping a message as User1 is already using Firefighter)
  Please provide me if any solution...

  Hi Hima
  Good to hear (sorry for your first question and this one led me down that path)
  I assume the program to login to SAP (can't remember name off the top of my head) performs a check to see if FF is configured and the User is a FF Id. This program is locked down so you cannot view the code (if it's not the program then the kernel is performing a check but pretty sure it's the program).
  So in short, as soon as you configure the user to become a FF Id then it cannot be logged into via logon pad.
  As an additional security measure you should be able to deactivate the FF Id password as it is not required by GRC. This will add additional certainty that no user can access it (you will have change documents to show this should the account ever be removed as a FF Id).
  Regards
  Colleen

• Blocking Firefighter IDs login

  Hi Gurus,
  The Firefighter IDs are user type Service, is there anyway we can limit the direct login under these IDs other than withholding passwords?
  Thanks

  Please consult SAP Note 992200 - it describes a user exit that does exactly what you want.
  That should also be mentioned in the installation guide, if I'm not mistaken.
  Frank.

• Not able to login with Firefighter ID

  Hi,
  I configured the SPM and was able to test the firefighter login  in our sandbox. Recently we upgraded from SP5 to SP8, since then I am not able to login with the firefighter id. When I try to access  the "Security" tab in /n/VIRSA/VFAT I am getting the error messge " These settings are NOT required anymore. with  Message no. /VIRSA/VFAT710 ".
  Any idea what might have changed and where should I look to fix this. Appreciate all your help.
  Thanks,
  Raj

  Hi,
  There was some security leak in the previous design of Firefighter in which we used to maintain the password in security table.
  So to overcome this issue, there is no need to maintain the password in security table as the logic has been changed by which the FFID login.
  So from SP07 onwards there is no need for security table.
  Regards,
  Shweta

• GRC 10 EAM authentication error while login to firefighter

  Hi, User raised EAM access request and it is approved in all the stages. When he is trying to login to use EAM, it is giving logon option and asking to enter return code and when he continue after giving return code,it is showing authentication page to enter ID and Password. But it is not jumping in to respective ECC system. We have done password reset to FF ID also and still not working. It was worked fine till yesterday and we have this issue now. Please check and suggest.. Thanks & Regards, Koteswara Rao.

  Hi Koteswara,
  Along with the authorization checks that are mentioned by Alessandro, can you also check that the RFC connections are trusted? We had this issue earlier and found it was due to the fact that the RFC connection was not trusted.
  Thanks
  Sammukh

• Customized Email Content for Firefighter login and Log report

  Hi Experts,
  Is it possible to customize the email content (subject as well as body) for Firefoghter login and log report notifications. This is required on GRC AC 5.3 SP10.
  Thanks
  Davinder

  No, D P. You can not customize FF emails. They are hard coded in the ABAP programs.
  Alpesh

• Will FireFighter send a report to the Controller if no activity was done?

  We have our FF system set up to send out a log report each night to the Controllers.  If someone logs into their FFID and then immediately exits back out without doing anything, will the nightly email job (pgm /virsa/zvfat_log_report) report this FF session?
  We are on GRC 5.3 SP13.
  Thanks.

  Hi Bob,
  Firefighter will have 3 types of logs:
  1. Session
  2. Transaction
  3. Change data.
  The answer for your question is a big Yes.
  The FF session (Login/Logout) report will be still sent even though user hasn't performed any thing. However, if user executes any transactions, it will be captured by the transaction log.
  Change data is when any changes made to the configuration.
  Hope this clarifies.
  Regards,
  Raghu

• Role based Firefighter approach in AC 10

  I am in the process of implementing "role based" FF (ID based approach not implemented as users are not comfortable to login to GRC system to execute the tcodes).  I have a query about it.
  If we maintain the role based FF logins, and we run risk report, still all the conflicts are found associated with that FF ids as they have the conflicting role assigned to them in SU01.  So is it ok, to live with these conflict found related to FF ids.  what will be the case during audit, will they accept these risks occuring for the FF can be ignored.

  Hello,
  I think the best approach is to mitigate the risk as Alexander describes here:
  Why Role based Firefighter
  Cheers,
  Diego.

• Firefighter doesnt start

  Hi guys,
  I need your help regarding firefighter aka SPM 5.3.
  I have just finished configurating the firefighter but the firefighter user doesn't pop up. When I try to log into the firefighter user with my assigned firefighter ID and enter a reason code and possible activities and press "choose" nothing happens.
  The role that is assigned to my user is /VIRSA/Z_VFAT_FIREFIGHTER and I removed the RFC destiniation according to note 1143955.
  The configuration of SPM 5.3 looks like this:
  Send Firefighter Login Notification Immediately     YES
  Assign FF Roles Instead of FF IDs                     NO
  Remote Function Call                                                     M03
  Any help for solving this issue is greatly appreciated.
  Thanx,
  Max

  I solved this problem by myself ... the firefighter user was defined as a system user and I changed it do Dialogue user !
  CU
  Max

• GRC Launch Pad gives "UME User Login Error! "

  All the links for RAR/RE/AE/Firefighter works, but when I go to launchpad, it gives me error " UME User Login Error! ". below the screen.  Does anybody know how to resolve this?

  That same error will also hit you in RAR if you don't have the users language maintained.
  Web Dynpro apps like LaunchPad and RAR or SPM rely on the UME information to determine the application language (also affects which language isk descriptions etc. are being shown in / can be maintained in).
  Frank.

• Issue with FireFighter Id Notification

  Dears,
  We are using GRC AC 5.3 connected with ECC6 as backend system.
  Issue is when any user login with Firefigher Id and then some other user login with the same firefighter Id;
  A message should come:
  "User Is also interested in using this FirefigherId,Please notify when you are done."
  But it is not appearing,Please suggest the steps to do it.
  Shivam

  Hi guys,
  I have the same problem, implementing SPM 5.3 SP4 FF-ID based.
  When the user who'd like to use the FF ID used by another firefighter, sends a message to him, by clicking on the 'Message' button, the message appears, however the user who is using the FF ID at that time does not get any system message that another user would like to use the same FFID.
  Any ideas what went wrong?
  Thanks for your help,
  Mira

• FF Login Issue

  Hi Gurus,
  Need Help....
  I ahve created a service FF id and assigned to a Dilougue ID in VFAt and I have assigned a FF role to the Dilogue ID..
  Now I have logged in using Diologue ID and in VFAT when i am trying to Login ..i am getting the Message
  Invalid Password maintained for Firefight ID
  Please help me...
  and also please explain how the mails will be generated to Controllers and ID Owners...
  Thanks in advance

  Hello,
  The FF id created as aservice id has an assigned password defined to it in SAP; you will need to define the same password in the FF Dashboard Security Tab in order for the if to function
  The Configuration tab has settings that indicate when emails will be sent identifying "login" (e.g Send Firefighter Login Notification; Send Firefighter Login Notification Immediately); you can also define the settings for the Log Reports here
  The Controller tab Usage Flag should be set to email - this will send email notifications to the email assigned to the defined Controller
  Hope this helps
  Jerry Synoga
  Ryerson, Inc.
  630-758-2021

• Accessing Portal Using Firefighter ID

  Hi Guys,
  I am working as a Security admin  .
  I have mapped the CRM user to the firefighter ID . The fire fighter ID has the portal roles. The CRM user dont have any portal roles.
  Fire Fighter version is 5.2
  My question:
  Can the CRM user enter into the portal using the fire fighter ID and use all the roles fire fighter id has?
  If he can enter can he use the FIre fighter ID and Password as the login id and password?

  Hi Frank,
  Thanks for the response
  We will set a initial password for fire fighter ID . can't we use that for logging into the portal.
  "The only way to do that would be to spawn a web UI from an ABAP session with SSO somehow..."
  You mean that when we log into the portal from ABAP then we can use Fire fighter ID right. Thats possible in XI.
  Is that the same in CRM portal can we log into the CRM portal  using a ABAP transaction.
  Plesae answer

• Firefighter unable to log in

  Hi Guys,
  WE are on GRC 5.3 SP 6
  when I try to execute FF transaction i got message saying " Destination TMSSUP VA8.DOMAIN_GRC is not defined as trusted RFC"  After creating a trusted RFC with above name I was able to execute
  Firefighter transaction but still I was unable to log into the system using FF id.
  Anybody has any guess
  Parveen

  Hi Parveen,
  Please let me know when you execute /n/virsa/vfat tcode what do you see?
  Are you able to see the below buttons?
  Owner,Firefighter,Controllers,Security,Reason Code,Configuration,Critical Tcodes
  If you can see the above buttons then configure those with appropriate data.
  First of all fill up the Configuration tab like this-
  Retrieve Change Log     YES
  Critical Transaction Table from Compliance Calibrator(VRAT)     NO
  Firefighter Owner Additional Authorization     YES
  Configuration Change Comment Mandatory     YES
  Firefighter Controller Additional Authorization     YES
  Send Log Report with Critical Transactions Only     YES
  Send Log Report Execution Notification Immediately     YES
  Send Log Report Execution Notification     YES
  Send Firefighter Login Notification Immediately     YES
  Assign FF Roles Instead of FF IDs     NO
  Send FirefightId Login Notification     YES
  Remote Function Call     FF_RFC (This is the RFC name which is created for it's own system)
  Connector Id for Risk Analysis     SID of the system
  Then you can configure Other buttons by refering SAP documentation.
  Else let me know for any help.
  Thanks,
  Sudip.

• 5.3 Firefighter Security Table "New" Comments Field

  Since upgrading from 5.2 to 5.3, I noticed that there are new "comments" and sometimes "decription" fields throughout the different FF tables.  I decided to test entering data in these fields.  After doing so in the "comments" area of the "Security" section firefighter, I noticed that the encrypted FF password changed to something else (which was also encrypted).  I tried to invoke the ID where the password had changed and sure enough I received an error that the passord was incorrect.  I changed the password back to what it was supposed to be and it appeared to look just like the other encrypted fields (back to normal).  However, now when I use the ID, a message stating that the ID does not exist appears.
  Why did entering data in the "comments" field change the password?  Why do I now get a message that the ID doesn't exist after setting the correct password back up? Has anyone else seen this and is there a fix?
  Greg
  After entering this message, IE gave an error message "Mismatched address - The security certificate presented to you by this website was issued for a different websites address. This problem may indicate an attempt to fool you or intercept any data that you send to the server".  That's why there are three messages for the same posting.
  Edited by: Gregory Cook on Oct 8, 2009 2:58 PM

  There is a problem with the site at the moment, the other 2 copies are deleted. The system automatically sends a nasty mail, don't take it personally
  Back to the real question...
  The reason for this is that the approach to managing the password has changed, but it appears that some misleading error messages are still in the coding.
  The password is no longer set once and decrypted to modify the RFC connection on the fly, but rather at each successfull request a new password is generated (albeit using a wrong legacy function module) and used "on the fly" via BAPI_USER_CHANGE and the RFC connection as well.
  This makes it look as if the "Comments" field which is immediately before this generation is changing the password hash... but it's not.
  This prevents the problem of the admin knowing the password - as you have also stated - and the algorithm being reversed (which is generally possible when using two way encryption / decryption functions, as opposed to one-way-hashes on the server side which are more secure).
  The catch is that you now need to set the user's password at each request after successfully generating the password. This procedure in BAPI_USER_CHANGE checks activity '05' of object S_USER_GRP for the FF user's group assignment. If you do not have this authorization yourself, the "on the fly" logon presents a new password to the RFC login screen (the check is remotely disabled so nothing can go wrong...) but the SU01 password has not changed.
  The "fix" is to assign this S_USER_GRP authority very carefully and ensure that the requesting user preferably does not have direct access to SU01, SU01_NAV and BAPI_USER_CHANGE themselves. Also make sure that they do not have authority for the debugger (object S_DEVELOP, even is display mode).
  Cheers,
  Julius