Financial Management Blogs by SAP
Get financial management insights from blog posts by SAP experts. Find and share tips on how to increase efficiency, reduce risk, and optimize working capital.
cancel
Showing results for 
Search instead for 
Did you mean: 
Mate
Product and Topic Expert
Product and Topic Expert
7,066

With the release of Service Pack 21, the Firefighter Logon Pad (transaction GRAC_EAM or /GRCPI/GRIA_EAM) slightly changed. Not just visually, but functionally as well. Among some restructuring, a new button is introduced labeled as Logoff. This button do what the label suggest; logoff and ends the Firefighter Session. But how it provide the possibility to use a Firefighter differently than we used to it and why a new button required if the logoff functionality was existed before?

To further examine this question first lets check how the logoff was actually determined earlier. Before SP 21, the Firefighter Session and the Firefighter ID User Session was more or less similar in timespan. When we clicked on the Logon button in the Firefighter Logon Pad, we initiated a Firefighter Session and also initiated a User Session in the backend; GUI session opened where the user was the Firefighter ID (this is the Firefighter ID User Session). After we finished what we would like to do we just simply logged out from the system or closed all the GUI windows. This process ended the Firefighter ID User Session and by refreshing the Firefighter Logon Pad or running the Firefighter Log Synch job then it also closed the Firefighter Session as well.

 

Firefighter Session vs. Firefighter ID User Session until SP 21


The main problem with this process that the Firefighter User has no control over the Firefighter Session. It ends when particular processes detects that there is no Firefighter ID User Session, and it is also ends when the User Session prematurely finish (like the idle session is force logged out due to the timeout). The determination of the actual logoff timestamp is also unreliable. If you ever checked GRACFFLOG table and wonder why is the logoff time of a Firefighter Session shows even a different day then the actual end of the (User) session happened, then you get your answer above.

The major change what SP 21 introduce is the separation of the Firefighter Session from the Firefighter ID User Session. This also led to the introduction of the Logoff functionality. The Logon and the Logoff button now controls the Firefighter Session itself. The Firefighter ID User Sessions are controlled by the same process as before. We can use the Logon button to initiate it and logout from the backend system or close the GUI windows. If there is an open Firefighter Session then we would be able to initiate as many Firefighter ID User Session as we want. All will belong to the same Firefighter Session until using the Logoff button we not ends the session. This change also allow some  extended security enhancements. From SP 21 the Firefighter ID will be locked when it has no open Firefighter Session.

 

Firefighter Session vs. Firefighter ID User Session after SP 21


There are many benefit of this changes. We can now mix ABAP and Web Based Firefighter sessions. We can simply logon to an ABAP based session, do the actions we would like to do, then ends the User Session without Logging off in the Logon Pad. Then we can initiate a Web Based Session using SAPGUI from HTML in the same Firefighter Session and finally logging off from the Session will ensure that these action will be in the same Firefighter Log Report Review. If we forget to do some actions which we already documented and we are still not logged off from the Firefighter Session we can easily logs in again to the backend system and just do what we forget earlier. And these are just the tip of the iceberg which simplify our lives as a Firefighter User.

GRC administrators can now have a better control over the Firefighter Sessions as well. To control sessions a new schedulable report is introduced. If we would like to implement Firefighter Session time out functionality, we can schedule report GRAC_SPM_MAINTENANCE. There are no restriction or suggestion to the frequency of the job. It depends on what 'lag' can we accept. If we schedule it for every 5 minutes then the actual logoff time will have a maximum of +5 minutes difference comparing to what we like. If we schedule this for execute in every minute then it is just a +1 minute. We can add a specific connector to this report, we can also provide a timeout value (in seconds) and we can set whether the same report should be run in the backend system (if decentralized Firefighting is activated - SPRO parameter 4015 set to YES). All of the fields are optional. If we do not provide any connector, then all sessions in all SUPMG connectors will be checked. If we do not provide any timeout parameter, then the report retrieves system parameter

rdisp/gui_auto_logout to determine the auto logout time. If nor configured value exists or the auto logout parameter can not be determined then 3600 seconds will be used as a default. The report will force log off all session which are idle longer than the timeout parameter. If we have enabled decentralized Firefighting, and selected the checkbox to run this report in the backend, then it will also do the same process in the backend system as well. If we would like to schedule the job separately for each and every backend system we should check and schedule report /GRCPI/GRIA_SPM_MAINTENANCE in the plugin system. Administrators also have the option to Force Logoff a session using GRAC_FFSESSION report. Using this report we can also restore more or less the same behavior as it was in prior to SP 21. If we set the timeout parameter to be a couple of seconds and schedule the maintenance report to run frequently then soon after the Firefighter ID User Session ends the Firefighter Session will be closed without the action of the Firefighter User.

To implement this feature SAP suggest to upgrade to at least SP 21 or later. If Decentralized Firefighting is used then GRCPINW is also need to be upgraded to SP 21 or later.

The correction released with Note 3318926 (GRCFND_A) and Note 3318927 (GRCPINW) for downport compatibility reasons. The functionality can also enabled with the implementation of these Notes.

SAP suggest to implement the following Notes if this functionality is already enabled:

For the main GRC system (GRFCND_A): 3325810, 3326827, 3327244, 3331180, 3345080, 3373799, 3390330, 3392984, 3399276, 3399562, 3403928, 3408121, 3423833.

For the plugin systems (GRCPINW):
V1200_750: 3329793, 3345080, 3358540, 3364469, 3364505, 3371499, 3373799, 3374840, 3390330, 3394118, 3397452, 3399562, 3405656, 3408121
V1100_731: 3329793, 3345080, 3358540, 3364469, 3364505, 3371499, 3372518, 3373538, 3373799, 3374840, 3375439, 3390330, 3394118, 3397452, 3399562, 3405656, 3408121.

(Note list last updated: 7th March 2024)

7 Comments
rporanki
Explorer
0 Kudos

Unfortunately from what I am hearing from my SAP Security team, this new functionality is causing several side effects in our SAP solution landscape where IT teams use FF id to get privileged access to troubleshoot production issues

1) With SP21, FFids in the backend systems remained locked and only get unlocked when FF user initates a sesson using GRAC_EAM --> This impacts FF ids where it needs use to TRUSTED RFC connections to communicate with other backend systems as their FF is locked in that system. Example, FF user logons to CRM but can do certain functions that communicate with ECC as FF is locked in backend ECC.

2) Any queue entries (SMQ1/SMQ2) that were a result of FF id also get stuck as the FF ID gets locked and queue gets backend up.

So far no resolution from SAP Support on the issue.

 

 

Mate
Product and Topic Expert
Product and Topic Expert
0 Kudos

Dear Rporanki,

based on your comment, you are using the Firefighter for background activity, or other activity which is used for background/asynchron processing. This was never supported and should not be used with Firefighter ID. EAM functionality was never designed to be used for asynchron processing or any other action where can be produce logs outside of the actual Firefighter Session timespan.

Best regards,
Mate

rporanki
Explorer
0 Kudos

Sorry, I wouldn't consider that as a scenario that includes submitting background jobs using FF id. We are referring to TRUSTED RFC connections between SAP systems and also other scenarios where IT folks have to run business transaction to fix issues for business users using privileged accounts that generates queues for inbound/outbound communication with other SAP applications in the landscape and with FF id getting locked upon exit it impacts queues that are backed up or not current.

Mate
Product and Topic Expert
Product and Topic Expert
0 Kudos

Dear Rporanki,

background jobs are one background processing which is not supported, however I don't speak about jobs itself. Just purely using Trusted RFC has no such known side effects. Trusted RFC is allow you to logon to a backend system without a password. If you are using applications which initialize Background RFC (bgRFC) then you can face an issue what you describe, however bgRFC is background processing which is not supported with Firefighter. 

I suggest to check the newly released enhancement (Note 3435355/3435356) which allows you to disable the locking mechanism, however using background processing might produce logs outside of the Firefighter Session which can be a compliance issue. SAP can not take any responsibility for using the Firefighter functionality for this purpose.

Best regards, 
Mate

 

rporanki
Explorer
0 Kudos

Mate, Appreciate SAP releasing a new note to address the issues and bring back old functionality. On our Incident with SAP Support, we were recommended to apply 3392591.  Just want to clarify why it impacted Trusted RFC connections. With FFid keeping locked in the target system, It did impact trusted rfcs as the account is locked on the RFC target system, so one has to initiate EAM sessions to get FF unlocked before they can use a tcode (/SCWM/MON) for instance in EWM which gives ability to look at SLG1 logs in ECC using trusted rfc. This is all SAP standard functionality that gives ability to drill down to application logs.

Just not in EAM space, we had lot of issues with SP21 and SP22 that impacted UAR as well and SAP Dev support had to release several fixes in the last 2 weeks to correct those.

Appreciate you getting back to us. If there is a forum SAP GRC Product Team runs or facilitates a monthly call that would be beneficial for customers to join and talk through some of the issues/pain points.

 

 

 

jason_benghiat2
Explorer
0 Kudos

Mate, thanks for creating this blog. After upgrading to FNDA SP21 on the central GRC system we are seeing issues with FF session windows not opening on the satellite system when pressing the logon button in /grcpi/gria_eam in decentralized FF model and observed this behavior when attempting to launch the FF session. 

  1. FFxxxxx user was unlocked in the satellite system (decentralized)
  2. first attempt got "max user sessions" error in SAP GUI, FF session window not opened
  3. clicked logoff in /grcpi/gria_eam
  4. FFxxxxx user now locked
  5. second attempt no session window opened
  6. FFxxxxx remains locked

    SAP support has asked to check the RFC to ensure the system information and RFC destinations match and they do. Still problem is occurring. Has anyone else ran into something similar? 

Mate
Product and Topic Expert
Product and Topic Expert
0 Kudos

Dear Jason,

I suspect some missing authorization (in decentralized environment you need to check both the RFC and the Firefighter User as well, as some authorization need to be assigned directly to the Firefighter User). If you get Unknown Error during logon then after you have Note 3443975 in your system you can check SLG for the exact error message. Can you share the Case number?

Best Regards, Mate