Sshd authorization critical

Similar Messages

• ISE Fail OPEN configuration/testing

  Greetings,
  We will be performing a live test of ISE Fail Open on our production system tomorrow night. When the policy nodes are all unavailable we want the switches to allow open access to all devices on all interfaces.
  I have done some testing of this on an individual test switch by routing packets to the ISE policy nodes to null 0 to emulate a failure. It appears to be working well, but was hoping for more input from the community before my Live test tomorrow night.
  First, I believe these to be the only commands needed to make this work correctly. Does anyone have any comment on this configuration? Am I missing anything? Do these timers seem OK? I'm wondering if the deadtime should be greater in case the nodes or the network connection are flapping?
  Global Config:
  radius-server dead-criteria time 5 tries 3
  radius-server deadtime 5
  dot1x critical eapol
  Interface Config:
  authentication event server dead action reinitialize vlan <normal data vlan>
  authentication event server dead action authorize voice
  authentication event server alive action reinitialize
  Next, this is the behavior I am seeing after the policy nodes go down. Is this as it should be?
  1. Absolutely nothing happens until an interface undergoes (re)authentication. All ports remain in current authentication/authorization state.
  2. If an interface undergoes (re)authentication, the switch tries to reach one of the configured policy nodes. After 5 seconds there is a message the first node is dead. In another 5 seconds there is a mesage that the second node is dead.
  3. After another ~20 seconds, the interface that was attempting (re)authentication goes into Critical Authorization:
  TEST#sh auth sess int f1
              Interface:  FastEthernet1
            MAC Address:  1234.5678.90ab
             IP Address:  Unknown
              User-Name:  UserName
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-host
       Oper control dir:  in
          Authorized By:  Critical Auth
            Vlan Policy:  2
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A0A010B0000013D093F17CC
        Acct Session ID:  0x0000072B
                 Handle:  0x5A00013E
  Runnable methods list:
         Method   State
         dot1x    Authc Failed
         mab      Not run
  Critical Authorization is in effect for domain(s) DATA
  TEST#
  All other interfaces remain in current mode, nothing on them changes so long as they don't attempt to (re)authenticate.
  4. If another interface attempts to (re)authenticate, it goes into critical state immediately w/o trying to contact the dead policy nodes.
  5. The switch will try every so often (every 5 minutes?) to reach the policy nodes. If one of them is up, all interfaces that were in critical state immediately transition to normal authc/authz modes. Normal timers apply, dot1x endpoints come up almost immediately, mab clients lose connectivity until dot1x times out.
  To emulate a global fail for the organization, I plan to stop the ISE services on both of my policy nodes.
  Thanks for any comments/insights/input.

  We appreciate the detailed scenario description, the question itself was very informative.
  I used
  authentication event server dead action authorize
                                         critical VLAN=accessVLAN
  instead of
  authentication event server dead action reinitialize vlan

• NAS/NAM fail open/fail close modes

  I need a quick small help, its not documented any place so I need a clarification.
  I need this in terms of authentication through AD
  1. If my NAS goes down/unreachable what will happen? But nam is up?
  2. If my NAM goes down/unreachable and NAS is up what will happen?
  3. If both NAS and NAM are both down?
  If you can help me out on this point. I cant find any configuration guide stating fail open or fail closed modes of NAM and NAS

  We appreciate the detailed scenario description, the question itself was very informative.
  I used
  authentication event server dead action authorize
                                         critical VLAN=accessVLAN
  instead of
  authentication event server dead action reinitialize vlan

• Import rules from an excel-file to RSUSR008_009_NEW-tabels

  hi
  i have created a ruleset based on the structure of RSUSR008_009_NEW in excel:
  Variants for Critical Authorizations, Critical Authorization, Authorization Data, Authorization ID, color, .., Group, Object, Fieldname, ...
  is there any way to import my ruleset into the tables of this application or do i have to type all.
  i appriciate any idea.
  thank you
  Pourang

  following file-interface might be enought:
  Critical Authorization
  -AUTH_ID     
  -XUTEXT     
  -AUTH_COLOR     
  Authorization Data
  -CR_AUTH     
  -XUOBJECT     
  -XUFIELD     
  -XUVAL     
  -XUVAL     
  -XANDOR     
  -XUTEXT
  Putting the Critical Authorizations in to Varints might be done manually.

• Check Critical Authorization

  Hi folks
  anyone who can let me know if there is any way to check which users have critical authorizations.SAP Security Audit will be conducted in our organization few days and I'm stuck badly
  thanks in advance

  you have the option to use standard variant for critical authorization and you can also maintain combinations to get the list with complex criteria

• Is S_RFCACL a critical Authorization Object ?

  Hi All,
  As we know that S_RFCACL (Authorization Check for RFC User (e.g. Trusted System)) is required for having access to the trusted systems.
  In most of our roles for this authorization Object we have maintained the * value for the following fields:-
  RFC_SYSID
  RFC_TCODE
  This has been made as an observation by the auditors as having this critical access with the users.
  But my question is how can it be the critical access when the user should have id's in both the systems(trusted and trusting) to login to the called system.
  Also even if the user logs into the called system he will only be able to execute the list activities/t-codes that he is authorized to in that system, it will override the * value maintained in RFC_TCODE.
  What possibly could be the risk from this authorization object ?
  Regards,
  Parichay

  Parichay Jain wrote:
  In most of our roles for this authorization Object we have maintained the * value for the following fields:-
  RFC_SYSID
  RFC_TCODE
  This has been made as an observation by the auditors as having this critical access with the users.
  The object itself is certainly critical, but as you stated the trust itself has to have been setup at the system level for the authorization to be going anywhere.
  These two fields are in all honesty only irritating and you can successfully defend putting a * into them.
  RFC_SYSID values for a role means you unit test a role in DEV, integration test in in QAS and then use it live in PROD. Additionally the field RFC_INFO is actually the installation number and you can be fairly sure that will be the same in the landscape. So only adding the pairs of production system IDs means you cannot test the same roles, which is a bit silly.
  RFC_TCODE is even sillier. The generic RFCs for starting transactions (eg. ABAP4_CALL_TRANSACTION) check the transaction code themselves again and that is then user specific roles relating to their job functions. Restricting S_RFCACL additionally in a system role (eg. common role for all users) means that you must double-discriminate against all possible transactions which can be called via RFC and list them all there and maintain the list. But the check happens later again and the application authorizations in the transaction are generally checked as well. Waste of time.
  @ Alex: The RFC_EQUSER = Y field only means that if the calling and called user ID names are the same, then the field RFC_USER is not checked and therefore does not have to be maintained. But it is often misunderstood and the field RFC_USER gets a * value as well (which is where the real music is..) and the EQUSER setting has no further affect. Technically, it actually weakens the authority-check on the user field - which is correct because otherwise you have to maintain it and end up with personalized roles, which is most silly of all.
  So you can quite safely tell you auditor that Julius agrees with you and they are barking up the wrong tree..  :-)
  Cheers,
  Julius

• Authorization to maintain critical combinations / authorizations

  It seems like there should be an easy answer to this, so pardon me if I've missed the obvious.
  I've been looking into transaction RSUSR008_009_NEW (List of users with critical combinations), but when I click either the "Critical Combinations" or "Critical Authorizations" buttons at the top, I get a "No Authorization" error.  What authorization do I need to maintain the critical combinations?
  Thanks in advance,
  Dan

  Thanks.. that was the first thing I did when I got the error, but the result was meaningless.  Having just tried it again though, the results were more useful.  Can't imagine what I did wrong last time.
  Anyway, the SU53 indicates I need t-code VCUSRVARCOM_DISP.. but I imagine there's more to it than that.  I found a few possibilities:
  SU_VCUSRVARCOM_CHAN - Maintain View Cluster VCUSRVARCOM
  SU_VCUSRVARCOM_DISP - Display View Cluster VCUSRVARCOM
  SU_VCUSRVAR_CHANGE - Maintain View Cluster VCUSRVAR
  SU_VCUSRVAR_DISP - Display View Cluster VCUSRVAR
  Bonus points to anyone who can produce a URL to some official information about this. 
  -Dan

• Critical Problem with "Data Ownership Authorization"

  Dear Guru's,
  I am facing a problem with applying Data Ownership Authorizations and badly needing your help.
  The scenario is as follows.
  For example "A" is a Product Manager sitting in Mumbai (Main Branch) and person "B" is a Sales Manager sitting in Banglore (Sub Branch).
  In Mumbai there are say 5 product managers, no i am able to make DOA such as particular product manager will be able to view only his sales opportunities and can edit,delete it. I have made it with the owner of the document basis by forming a team called "A" and made A as a member of the team.
  Now person B sitting in Banglore should be able to view sales opportunity with branch as Banglore and not any other branch but these opportunities can have any product manager (from Mumbai) as owner.
  Please tell me how can i do this in B1.
  Thanks in advance
  Regards,
  Ashish Tambe
  Edited by: Rui Pereira on Nov 7, 2008 1:49 PM
  Edited by: Rui Pereira on Dec 9, 2008 5:07 PM

  Hi,
  It is given on the link that for using DOA on Branch basis, the user and owner must be from the same branch, but this is not the case here.
  Owner is from HO and user is from branch office.
  Problem still persists sir.
  Edited by: Rui Pereira on Apr 28, 2009 12:17 PM

• A critical error has occured. Processing of the service had to be terminate

  When manager wants to approve the employee leave request its giving following error.
  Critical Error
  A critical error has occured. Processing of the service had to be terminated. Unsaved data has been lost.
  Please contact your system administrator.
  Critical Error
  A critical error has occured. Processing of the service had to be terminated. Unsaved data has been lost.
  Please contact your system administrator.
    Access via NULL object reference not possible., error key: RFC_ERROR_SYSTEM_FAILURE   
    Access via NULL object reference not possible., error key: RFC_ERROR_SYSTEM_FAILURE:com.sap.tc.webdynpro.modelimpl.dynamicrfc.WDDynamicRFCExecuteException: Access via NULL object reference not possible., error key: RFC_ERROR_SYSTEM_FAILURE
       at com.sap.tc.webdynpro.modelimpl.dynamicrfc.DynamicRFCModelClassExecutable.execute(DynamicRFCModelClassExecutable.java:101)
       at com.sap.xss.hr.lea.form.FcForm.getCustomizing(FcForm.java:1020)
       at com.sap.xss.hr.lea.form.FcForm.onInit(FcForm.java:417)
       at com.sap.xss.hr.lea.form.wdp.InternalFcForm.onInit(InternalFcForm.java:2053)
       at com.sap.xss.hr.lea.form.FcFormInterface.onInit(FcFormInterface.java:184)
       at com.sap.xss.hr.lea.form.wdp.InternalFcFormInterface.onInit(InternalFcFormInterface.java:1911)
       at com.sap.xss.hr.lea.form.wdp.InternalFcFormInterface$External.onInit(InternalFcFormInterface.java:2007)
       at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPM.attachComponentToUsage(FPMComponent.java:922)
       at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPM.attachComponentToUsage(FPMComponent.java:891)
       at com.sap.pcuigp.xssfpm.wd.FPMComponent$FPMProxy.attachComponentToUsage(FPMComponent.java:1084)
       at com.sap.xss.hr.lea.worklist.VcWorkList.onInit(VcWorkList.java:267)
       at com.sap.xss.hr.lea.worklist.wdp.InternalVcWorkList.onInit(InternalVcWorkList.java:363)
       at com.sap.xss.hr.lea.worklist.VcWorkListInterface.onInit(VcWorkListInterface.java:164)
       at com.sap.xss.hr.lea.worklist.wdp.InternalVcWorkListInterface.onInit(InternalVcWorkListInterface.java:144)
       at com.sap.xss.hr.lea.worklist.wdp.InternalVcWorkListInterface$External.onInit(InternalVcWorkListInterface.java:220)
       at com.sap.pcuigp.xssfpm.wd.FPMComponent.doProcessEvent(FPMComponent.java:564)
       at com.sap.pcuigp.xssfpm.wd.FPMComponent.doEventLoop(FPMComponent.java:438)
       at com.sap.pcuigp.xssfpm.wd.FPMComponent.wdDoInit(FPMComponent.java:196)
       at com.sap.pcuigp.xssfpm.wd.wdp.InternalFPMComponent.wdDoInit(InternalFPMComponent.java:110)
       at com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent.doInit(DelegatingComponent.java:108)
       at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
       at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
       at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.init(ClientComponent.java:430)
       at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:362)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:756)
       at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:291)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:713)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:666)
       at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
       at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
       at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doPost(DispatcherServlet.java:53)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
       at java.security.AccessController.doPrivileged(AccessController.java:219)
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
  Caused by: com.sap.aii.proxy.framework.core.BaseProxyException: Access via 'NULL' object reference not possible., error key: RFC_ERROR_SYSTEM_FAILURE
       at com.sap.aii.proxy.framework.core.AbstractProxy.send$(AbstractProxy.java:150)
       at com.sap.xss.hr.lea.model.LeaveRequestAdaptiveModel.pt_Arq_Customizing_Get(LeaveRequestAdaptiveModel.java:392)
       at com.sap.xss.hr.lea.model.Pt_Arq_Customizing_Get_Input.doExecute(Pt_Arq_Customizing_Get_Input.java:137)
       at com.sap.tc.webdynpro.modelimpl.dynamicrfc.DynamicRFCModelClassExecutable.execute(DynamicRFCModelClassExecutable.java:92)
       ... 47 more
     kindly help ASAP,

  Hi,
  Did you give enough authorizations to the user at the beack end.
  Just Try giving SAP_ALL authorizations and check.
  Regards,
  Santhosh

• Secured WebDAV Mounted Volume Authorization Issues

  I use a secure WebDAV mounted volume from myDisk.se and up until the latest Security Update have had zero issues being able to manipulate files and folders as I would on a normal volume. However, since the installation of the Security Update (2009-004 (PowerPC) 1.0) I find weird things happening with this mounted volume:
  1) I am able to mount the secured WebDAV share using my security credentials.
  2) I can create a default "untitled" folder but when I try to change its name, the WebDAV authorization dialog pops up and despite entering the same credentials (why, I am not sure as the volume has already been properly credentialed in order to be mounted), access is denied.
  3) Trying to create a file within a folder on the mounted WebDAV volume I previously created pre-update causes the same authorization issue.
  I have no other WebDAV shares I can try to mount from any other companies so I am not sure if this is a myDisk issue or one borne from the Security Update. I am not a .Mac/MobileMe user and that info is not filled out in System Preferences. The internal hard drive has been meticulously maintained with Disk and Permissions repair being run both before and after each and every software update installed. Likewise, the volume's structure is also checked both before and after and shows no need for repairs.
  Any ideas? Perhaps there is a corrupted file somewhere that's affecting the authorizations needed by this third-party WebDAV volume?
  The machine that has this problem is the last model iBook G4/1.33GHz 12" display, 1.5GB RAM, and a 100GB 5400rpm HD which replaced the stock OEM 40GB 4200rpm drive about one year ago.
  I'm not willing to do an Archive and Install at this point as the loss of the WebDAV access to my online volume is not critical. Inconvenient as heck but not to the point where I'm willing (or able) stop my normal work to spend the hours it will take to get WebDAV access back.
  Thanks in advance for any insights.

  same problem here with webdav, I can't mount my idisk from university network on Mac Pro 10.5.3 (although it mounts fine from home network on both ibook and PMG5 10.5.3). Everything was fine with 10.5.2 and I already re-installed 10.5.3 combo. Other bugs as well with .Mac prefs (keeps crashing, sometimes it shows the available space on idisk but still no mounting, with error -35 or -8086), but .Mac sync is OK
  Jun 11 12:34:21 webdavfs_agent[579]: mounting as authenticated user
  Jun 11 12:34:22 kernel[0]: webdav server: http://idisk.mac.com/[username]/: connection is dead
  Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 received VQ_DEAD event (32)
  Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
  Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 type 'webdav', mounted on '/Volumes/[username]', from 'http://idisk.mac.com/[username]/', dead
  Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
  Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 found 1 filesystem(s) with problem(s)
  Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
  Jun 11 12:34:52: --- last message repeated 1 time ---

• BI authorization objects not appearing in RAR, error while generating role

  Hi
  I am facing certain problems relating to integration of BI module version 7 with GRC Access Controls version 5.3 and support package 06. I am describing the problems in details below:
  (a)  In Risk Analysis and Remediation (RAR) component, I am creating Functions and
        Risks for Business Intelligence (BI) module. For that I have downloaded the
        descriptive text and authorization object data from BI development system and
        uploaded the same in RAR. Then I have created 2 Function Ids DBI1 (having action
        RSA1) and DBI2 (having actions RSA11, RSA12, RSA13, RSA14, RSA15) and 1
        Risk Id for BI (having Function Ids DBI1 and DBI2) in RAR. But when I checked
        the permission tabs of the Function Ids DBI1 and DBI2, I could not find any
        authorization objects for the actions in them.
  (b)  In Enterprise Role Management (ERM), when I am trying to create a Role TEST-BI
         in DBI 100 and I put the  BI transaction codes in authorization data , I get the
         authorization objects . Risk analysis is also being done successfully. But at the time
         of Role generation in background mode , it is giving an error message :
         Error generating role TEST-BI for system DBI 100: Unable to interpret * as a number.
         I am thus unable to generate any role in DBI 100.
  (c)  In Compliance User Provisioning (CUP), I have imported a standard role from DBI
        100. Then I have added Functional Area, Business Process, Subprocess  and
        Criticality Level to this role in CUP. But when I try to assign this Role to an user, it
         gives an error Error creating request. But requests are getting created and roles are
         being assigned to users in ECC development  systems using the same Initiator, CAD, stage
         and path.
  Can anyone please help me ?

  -

• Authorization Error while extracting data after applying SAP upgrade patch

  Hello All,
  Recently we have updated the SAP BW patch to 24 and ECC patch to 22. I have the access to perform extraction in RSA3 tcode in ECC.
  However, While performing the data load in BW, the process is failing at the Infopackage step with the following error:
  "You do not have authorization to extract from Datasource XXXX, Component FI-IO. Message no. R8073"
  My basis guy has given the necessary acces.. but still the issue persists..
  Please provide solutions ASAP... its very critical issue...
  Regards
  Sneha

  Hi,
       Are you loading the data with your username? it may cause problem sometimes because you may not have the authorization object S_RO_OSOA assigned in your roles.
  Try scheduling the loading job with the background user with which normally the process chains are run.
  i guess this should solve your problem, if not try adding this authorization object to the corresponding role and you can run with your user name itself.
  I am not sure about the auth objt , try and see.
  regards,
  karthik.

• How to restrict the authorization to change backgroud configuration

  hello , I copy some users from my admin user which contain the sap_all profile. so these uses can change background configuration.     now,  I want to restrict the authorization that they can only view the background configuration but can not change it .        how can I set this authorization?     Can I change the sap_all profile? how to set it?
  thanks.

  Hi,
  You can copy the SAP_ALL profile to a new name say Z_SAP_ALL and provide display access to all the authorization object and make sure you remove all the critical tcodes in the Z_SAP_ALL profile.
  Once you are done with testing the role assign it to the user.
  Also search the threads in the forum...
  Rakesh

• ESS Leave request screen giving a critical Error in production server

  Friends,
  We are in a critical face of ESS implemetation.
  We are doing an ESS MSS implementation for country grouping 99.
  When we moved our changes to production server after succesful testing in quality, getting the following Critical error for Leave Request Screen.
  java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
       at java.util.ArrayList.RangeCheck(ArrayList.java:512)
       at java.util.ArrayList.get(ArrayList.java:329)
       at com.sap.aii.proxy.framework.core.JcoBaseList.get(JcoBaseList.java:272)
       at com.sap.aii.proxy.framework.core.AbstractList.get(AbstractList.java:230)
       at com.sap.tc.webdynpro.modelimpl.dynamicrfc.DynamicRFCList.get(DynamicRFCList.java:281)
       at com.sap.tc.webdynpro.progmodel.context.Node$ModelElementList.getElement(Node.java:2543)
       at com.sap.tc.webdynpro.progmodel.context.Node.getElementAtInternal(Node.java:621)
  Other areas like personal Info & who is who are working fine.
  Leave request was working fine in Development and Quality servers and it never worked in Production server.
  It worked fine with same config, with same master data and same employee & org structure in quality server.
  We tried the following things:
  1. Checked and confirmed the sequence of transports for configs and Developments to Quality and Production.
  Even compared the table level entries and ABAP codings B/n dev and Production. All are same.
  2. Moved the workflow changes to production and activated the same. No change found after that.
  3. Gave SAP all authorization in R/3 and full authorization from portal side as well.
  4. Assigned the userid to different employees and checked the masterdata of employees.
  5. Checked the note 1388426.Every thing mentioned in the note is there in the system.
  6. Verified Rule groups and WEBMO feature are correct and same as in quality.
  As our go live date is very near, request your help .Thanks in advance for your help.
  Regards,

  Customisation of Leave request is mising in your system, please check the rule group using PTARQ.

• How to provide access to Critical Transactions in GRC AC 10.0

  +Hello Gurus,+
  +We are in phase of implementing GRC AC 10.0 , and have a requirement where there are "Critical Transactions" identified by the Business and if there is any end user who wants to access any specific "Critical Transaction" e.g. PA30 etc then it must automatically go to a specific Owner of that transaction.+
  +As far as i know , we can have a workflow for getting a role assigned, but not sure if it is possible to have a workflow where every "critical transaction" will have an owner and then on selection of the transaction it will trigger a workflow.+
  +I would also like to know what is a standard or rather best practice in SAP GRC , regarding providing access to "CRITICAL Transactions" ??+
  +We thought of creating a role containing multiple "Critical transactions" and then assigning to the firefighter ID , for which we have an approval workflow !! But that does not help , as assigning the role will give user access to some other "critical transactions" as well which we would like to control.+
  +Looking forward to know about the suggestion/solution for this issue.+
  +Thanks in advance.+
  +Regards,+
  +Victor+

  Hello,
  Victor Ger wrote:
  > +We thought of creating a role containing multiple "Critical transactions" and then assigning to the firefighter ID , for which we have an approval workflow !! But that does not help , as assigning the role will give user access to some other "critical transactions" as well which we would like to control.+
  > +Victor+
  I think that only one firefighter with all the critical transactions is not a good idea. I guess it's better to have different firefighters IDs assigned to different users. The point here is to decide if you really want to have a trace for all critical transactions executions.
  An example:
  Tx. SM37 is considered a critical transaction if the user has also the auth. object S_BTCH_ADM set to "yes".  This allows to delete or copy others user's jobs. This is and authorization that a Basis person must have. Do you really want to trace this?
  I think that force a Basis person to use a firefighter for this is nonsense, because this tx. is part of his/her job. Then, you should accept this sort of risks, otherwise you'll get the point where you replace the normal users with FF users. This is not the idea of FF.
  Of course, this is just a thought and all depends on your business requirements.
  Cheers,
  Diego.