SAP Access Control 12.0 SP21 changed how a Firefighter session is managed. Instead of session state being inferred loosely, the platform now controls the Firefighter session itself (its logon, its lock, its logoff and its logging) through a defined lifecycle. Two notes carry that change: 3318926 on the central GRCFND_A system, and 3318927 on the GRCPINW plugin.
If you run decentralized Firefighting (/GRCPI/GRIA_EAM) on a GRCPINW V1100 plugin against a central GRC system, this change is not a one-note affair. Note 3318927 lists its prerequisites, but depending on the exact plugin, kernel and Support Package state of each system, a series of follow-on issues still appear: IDs that stay locked, a logon button that does nothing, sessions that will not close, missing entries in the logs, and short dumps. This article maps each symptom to the note that fixes it, based on our field experience rolling out the SP21 session lifecycle on V1100 landscapes.
What the SP21 session change actually does
Before SP21, the Firefighter logon pad managed sessions in a way that did not cleanly own the full lifecycle. SP21 reworks this so the session itself is the controlled object: it is created on logon, tracked while active, released on logoff, and its activity is captured for the log and review.
Both notes are required whether you run Firefighting centrally or decentrally: 3318926 on the central GRCFND_A component and 3318927 on the GRCPINW plugin, which sits on every managed system in either mode. The two sides must agree: if the plugin is on the SP21 lifecycle but the central system is not, or the reverse, session state drifts and the symptoms below start to appear.
What actually changes between the two modes is one authority check. The SP21 session logic runs an S_USER_GRP check on the identity behind the session: in decentralized Firefighting it is checked against the Firefighter user ID (the user logs on directly with the FFID on the plugin system), and in centralized Firefighting it is checked against the RFC system user the central GRC system uses to reach the plugin. Whichever identity applies has to be authorized for that user group, or the session check fails.
Common precondition. The corrections in this article are only effective on Access Control 12.0 SP21 or higher, or where Notes 3318926 and 3318927 are intentionally implemented. On a lower Support Package with neither note in place, these corrections must not be applied. In both operating modes, apply the relevant notes to both the central GRC system and every plugin system so session state stays consistent across them.
Why V1100 is different from V1200
This is the part that catches teams out.
- On GRCPINW V1200, the SP21 session-management functionality is delivered as part of the support package. You get it by being on the corresponding SP level, there is little discrete note work.
- On GRCPINW V1100 (for example
V1100_700orV1100_731), the same functional change arrives as a discrete correction, Note 3318927, that you implement as part of the SP upgrade. Each correction then has to line up with the exact plugin, kernel and SP state of that system.
The practical consequence: V1100 landscapes carry more manual note work and are more exposed to the follow-on issues below. Note 3318927 documents prerequisites, but "prerequisites satisfied" does not mean "problem-free." The list of corrections that follows is what we typically end up implementing to bring a V1100 decentralized Firefighter setup back to a clean state after SP21.
Get the precondition right first
Two checks save the most time:
- Confirm Note 3318927 is fully implemented on the plugin. A partial or incompletely activated 3318927 is itself a cause of the "logon button does nothing" symptom below. Verify it before chasing anything else.
- Confirm both sides are aligned: 3318926 on central
GRCFND_A, 3318927 on everyGRCPINWplugin. Firefighting only behaves when the two systems share the same session lifecycle, in centralized and decentralized mode alike.
Once those are confirmed, work through the symptom groups below.
The follow-on issues, and the note that fixes each
RFC connector not resolved on decentralized logon, 3394118, 3397452
Symptom. The decentralized logon pad takes the RFC connector from the Firefighter object instead of the SM59 connection named in SPRO parameter 1000. When the two names differ, the session cannot be initialized and does not open; the pad may also throw an exception during logon because the Firefighter-object connector is used to request client and trusted-connection information instead of parameter 1000.
Fix.
- Note 3394118: makes SPRO parameter 1000 determine the RFC connector on the decentralized logon pad.
- Note 3397452 (prerequisite: 3394118), stops the exception when the Firefighter ID uses a connector name different from parameter 1000.
Implement both, or the equivalent Support Package.
Firefighter ID locked (red) although nobody is using it, 3408121
Symptom. Firefighter IDs appear locked (red) even when unused, typically after changing FFID assignments through the NWBC administrative pages. The SP21 lock relied on the Last Logon Timestamp field, which the assignment change also updates, leaving the lock in an inconsistent state.
Fix. Note 3408121, applied on the central GRC system and all plugin systems. The correction stops using the timestamp for locking, adds a dedicated lock table, and lets you see which user actually holds an FFID whether the session was started on the central or the decentralized pad.
Logon button does not switch to the Firefighter session window
Symptom. After the logon form is submitted, no Firefighter ID session window opens and the FFID may turn red.
What to check, three things:
- The connector / SPRO parameter 1000 mismatch from the RFC section above (Notes 3394118 and 3397452).
- An incompletely implemented Note 3318927, which is the precondition for the whole SP21 session lifecycle.
- The
S_USER_GRPauthorization on the checked identity: the Firefighter ID in decentralized mode, the RFC system user in centralized mode. If its user group is not authorized, the SP21 session check refuses the session.
Confirm these before looking further. If transactions from consecutive sessions are also missing from the log, see 3282253 below, but note that 3282253 fixes the logging gap, it does not open a session window that fails to appear.
Logoff does not close the session; FFID stays locked, 3408121, 3461621, 3459906
Symptom. After Logoff the Firefighter session is not released and the FFID can remain locked (red).
Fix.
- Note 3408121: the SP21 locking inconsistency is why an ID is not released and stays locked after a session ends (same correction as the locking section above; apply on central and all plugins).
- Note 3461621: covers logon pad refresh behaviour and the Terms and Conditions button.
- Note 3459906: the correction specific to the Logoff, Additional Activity and Unlock buttons becoming unavailable after logon on the decentralized pad. (This is a separate note from 3461621; do not assume the refresh note covers it.)
Transactions from the 2nd or later session missing from logs and Review, 3282253
Symptom. With ABAP-based decentralized Firefighter, transactions run in the second and later sessions are missing from the Firefighter logs and the Review when the logon pad is kept open between sessions. After the kernel change in Note 2891577, the same transaction ID is reused for every transaction, so GRC's unique-ID filter discards them.
Fix.
- Note 3282253: for decentralized (plugin) Firefighting.
- Note 3009752: the centralized counterpart, if you are on centralized Firefighter.
This resolves the logging gap only; it does not fix a session window that fails to appear.
Reason Code not stored on the decentralized logon pad, 3373538
Symptom. You select a Reason Code, but after the Reason Code screen is closed the value is not stored, the session ends up without the Reason Code you entered. This occurs on the decentralized logon pad with the V1100_700 (and V1100_731) plugin on AC 12.0. The root cause is that the case-sensitive attribute is not set on the Reason Code field variable.
Fix. Note 3373538: implement the correction instruction or the equivalent Support Package. Applies to V1100_700 / V1100_731. Note that this is distinct from the CONVT_NO_NUMBER dump below: here the screen works but the value is silently dropped.
Short dumps in decentralized Firefighter, 3364505, 3375439
CONVT_NO_NUMBER on second logon (Reason Code screen): Note 3364505. On a Logoff-capable decentralized pad, logging on a second time and filling the Reason Code screen produces a CONVT_NO_NUMBER short dump: the Reason Code key field is used as an index, but on reload the index is replaced by the Reason Code text, so the lookup by index dumps. Implement Note 3364505. (With the SAP GUI option "Show keys within dropdown lists" enabled, the Reason Code dropdown then shows the text twice instead of index-plus-text, that is normal.)
TSV_TNEW_PAGE_ALLOC_FAILED on Additional Activity: Note 3375439. On a Logoff-capable decentralized pad running V1100_700 or V1100_731, clicking Additional Activity freezes the screen and eventually raises a TSV_TNEW_PAGE_ALLOC_FAILED short dump. Retrieving the stored Action and Reason Code description miscalculates the string offset, causing an infinite text-manipulation loop that ends only when memory is exhausted. Implement Note 3375439 (applies to V1100_700 and V1100_731 only).
Symptom-to-note cross reference
| What you see | SAP Note(s) |
|---|---|
| "RFC Destination not defined" on logon | 3394118, 3397452 |
| Logon button does not switch to the FF ID session window | Check RFC (3394118 / 3397452) and fully implemented 3318927 |
| Firefighter ID shows locked (red) although nobody is using it | 3408121 |
| Logoff does not close the session; FFID stays locked | 3408121, 3461621 |
| Logoff / Additional Activity / Unlock buttons unavailable after logon | 3459906 |
| Transactions from the 2nd or later session missing from logs and Review | 3282253 (central: 3009752) |
| Logon pad reloads on scroll; Reason Code loses entries on T&C; T&C link does not open | 3461621 |
| Reason Code selected but not stored after the Reason Code screen closes | 3373538 |
CONVT_NO_NUMBER short dump on second logon (Reason Code screen) | 3364505 |
TSV_TNEW_PAGE_ALLOC_FAILED short dump on Additional Activity | 3375439 |
Implementation lessons from the field
- Treat this as a note bundle, not a single note. On V1100, plan the SP21 Firefighter change as 3318927 plus the corrections above, sequenced with their prerequisites (for example 3394118 before 3397452).
- Apply to every system in the decentralized chain. Locking and session notes (notably 3408121) must go on the central
GRCFND_Asystem and eachGRCPINWplugin. A note applied on one side only reproduces the very inconsistency you are trying to remove. - Validate the whole session lifecycle after each wave: logon opens a session window, Additional Activity works, Logoff releases the ID, and a two-session test shows all transactions in the log and Review.
- Watch the plugin version specifically. Some corrections (3375439) are scoped to
V1100_700/V1100_731; confirm your exactGRCPINWversion before deciding what applies. - Keep the FAQ note handy. Note 3495933 is SAP's FAQ for Emergency Access Management Service Pack 21 and above, a useful reference alongside the corrections here.
How MTC helps
We work with Swiss SAP organizations on the unglamorous but critical part of GRC: making Emergency Access Management actually work after a Support Package upgrade. That includes plugin note alignment on V1100 landscapes, decentralized Firefighter (/GRCPI/GRIA_EAM) troubleshooting, and validating the full session lifecycle so audit evidence (the Firefighter log and review) is complete and trustworthy. For large GRC programs we partner with leading global audit, risk and technology consulting firms while keeping a Swiss-based senior team accountable for the security outcome.
Related reading
- SAP Firefighter Role Design: Best Practices for Emergency Access
- SAP S/4HANA Migration in Switzerland
- SAP GRC vs MTC Skopos: Choosing the Right SoD Analysis Tool
References
- 3318926: Functional change for Firefighter Session Management (
GRCFND_A, central). - 3318927: Functional change for Firefighter Session Management (
GRCPINW, plugin). - 3394118: Decentralized logon pad does not use SPRO parameter 1000 to determine the RFC connector.
- 3397452: Decentralized Firefighter logon pad throws an exception if the connector is not maintained as an SM59 connection (prerequisite: 3394118).
- 3408121: Firefighter ID locking issue (dedicated lock table).
- 3282253: Recurring transactions missed in decentralized Firefighter (central counterpart: 3009752).
- 3009752: Session management related changes in Firefighter logon pad (centralized counterpart to 3282253).
- 3461621: Screen refresh related issues in centralized and decentralized Firefighter logon pad.
- 3459906: Logoff, Additional Activity and Unlock buttons unavailable after logon using the decentralized logon pad.
- 3364505:
CONVT_NO_NUMBERshort dump during decentralized Firefighter logon. - 3373538: Reason Code is not stored on the decentralized logon pad when the
V1100_700/V1100_731plugin is used (case-sensitive attribute not set on the Reason Code field variable). - 3375439: Additional Activity throws
TSV_TNEW_PAGE_ALLOC_FAILEDshort dump when theV1100_700/V1100_731plugin is used. - 2891577: Kernel change that reuses the transaction ID (root cause behind 3282253).
- 3495933: FAQ: Emergency Access Management Service Pack 21 and above.
Frequently Asked Questions
What does SAP Note 3318927 do?
SAP Note 3318927 delivers the functional change for Firefighter Session Management on the GRCPINW plugin, aligned with the Access Control 12.0 SP21 session lifecycle. Its central counterpart is Note 3318926 (GRCFND_A). Both notes are required for centralized and decentralized Firefighting, so the Firefighter session state (logon, locking, logoff and logging) stays consistent between the central GRC system and every plugin system. The two modes differ only in one authority check: S_USER_GRP is checked on the Firefighter user ID in decentralized mode, and on the RFC system user in centralized mode.
Do I need Note 3318927 on GRCPINW V1200?
On the GRCPINW V1200 plugin the SP21 session-management functionality is delivered as part of the support package itself, so you generally do not implement Note 3318927 manually. On V1100 plugins (for example V1100_700 or V1100_731) the same functional change arrives as a discrete correction that you implement as part of the SP upgrade, which is why V1100 landscapes tend to hit more of the follow-on issues described in this article.
Why is a Firefighter ID locked (red) after SP21?
After SP21 the Firefighter ID lock relied on the Last Logon Timestamp field. Changing FFID assignments through the NWBC administrative pages also updates that timestamp, which leaves the lock in an inconsistent state and shows the ID as locked (red) even when nobody is using it. SAP Note 3408121 replaces the timestamp-based lock with a dedicated lock table and must be applied on the central GRC system and all plugin systems.
Which SAP notes fix decentralized Firefighter logon pad issues?
The common decentralized logon pad corrections after SP21 are: 3394118 and 3397452 (RFC connector / SPRO parameter 1000), 3408121 (ID locking), 3461621 (screen refresh and Terms and Conditions), 3459906 (Logoff, Additional Activity and Unlock buttons unavailable after logon), 3364505 (CONVT_NO_NUMBER short dump), 3373538 (Reason Code not stored) and 3375439 (TSV_TNEW_PAGE_ALLOC_FAILED on Additional Activity). Note 3282253 fixes missing transactions in consecutive sessions.