11/8/13 Minimum authorization profile for external RFC programs | BASIS Tutorials | SAP Techies

www.saptechies.org/minimum-authorization-profile-for-external-rfc-programs/ 1/7

3.9kLike

138 WriteNew User?

Home Tutorials Answers BooksInterview

Questions

Transaction

Codes

Courses &

InstitutesJobs Classifieds News Announcements

SAP BASIS

TutorialsBASIS

ForumsBASIS

BooksBASIS

Interview QuestionsBASIS

Transaction CodesBASIS

SAP BASIS TrainingInstitute

SAP BASIS Jobs

SAP R/3

ABAP

BASIS

FICO (FinancialAccounting & Controling)

Business One

EC (EnterpriseControlling)

TR (Treasury)

IM (InvestmentManagement)

HR (Human Resource)

SD (Sales andDistribution)

Logistics InformationSystem

MM (MaterialsManagement)

Minimum authorization profile for external RFC programs

By: rekha | Google | 12 Aug 2010 7:21 am | 4642 times viewed | 0 Comments

In the RFC communication between an external program and an SAP system,you want to use a user who only has authorizations in the SAP system that areabsolutely necessary. Depending on the technology that your program uses forcommunication, the release of the attached R/3 or SAP system and the type ofthe calls that you want to execute, the SAP user set in the external programrequires different authorizations.For the sake of clarity, these authorizations are summarized in this note.

Reason and Prerequisites

External programs can essentially use the following technologies for RFCcommunication:

1. RFC SDK (C/C++)

2. NW RFC SDK (C/C++)

3. Java Connector (Java)

4. .NET Connector (C#)

5. Business Connector (XML,HTTP,FTP or SMTP interface )

Most of these components provide a repository service, which dynamically reads the interface definition of a remote-enabled function module

List Your Institute & Course

0 Tweet 0

Post your Article

Home » Tutorials » BASIS

Search e.g. SAP ABAPAll

SAP Courses & Collegeswww.Shiksha.com/SAP-Courses

Find Top SAP Institutes in India. Get Info on Courses,Admision,Fees.

ShareLike 0483

Resigter Login

11/8/13 Minimum authorization profile for external RFC programs | BASIS Tutorials | SAP Techies

www.saptechies.org/minimum-authorization-profile-for-external-rfc-programs/ 2/7

PM (Plant Maintenance)

PP (Production Planning)

QM (Quality Management)

BW (BusinessWarehousing)

IS (Industry Solutions)

CS (Customer Service)

PS (Project Systems)

SEM (Strategic EnterpriseManagement Software)

CRM (CustomerRelationship Management)

SCM (SAP Supply ChainManagement)

Netweaver

SRM (SupplierRelationship Management)

About SAP

Exchange InfrastructureSAP XI

Advanced Planner andOptimizer (SAP APO)

Unix

Oracle

Oracle SQL

Third Party

Java

SAP GUI

HCM Human CapitalManagement

SAP Office

Mobile

HANA

MySAP

OrganisationalManagement

Integration Server

EHS Environment, Health,

(abbreviated as RFM) from the ABAP Data Dictionary. This service in turn calls several function modules in the ABAP application serverinternally. For this reason it requires specific authorizations in function groups.

Solution

Firstly some general comments:

* You can use the auth/rfc_authority_check=0 profile parameter to deactivate the authorization check in the RFC. This is set by default in allR/3 releases up to and including Release 3.1l. To protect the system against unauthorized RFC accesses, you should check that this

parameter is set to at least 1.

* In Releases 3.1I to 4.6D there were some bugs at the beginning in the RFC authorization check. Ensure that your R/3 kernel has at least

the patch level referred to in Note 93254.

* Some application function modules and BAPIs perform an internal check again for a "business" authorization object. In this case theuser, who wants to execute the RFC call, must also have authorization for this "application authorization object" as well as the "technical"

authorizations described in the following section.

* If the module that you called wants to execute a transaction code, the user also requires the S_TCODE authorization object (with therelevant transaction codes). If you start a report within the module, the user also requires the S_PROGRAM authorization object (with the

relevant program groups).

* In general it is sufficient if the user is of the "CPIC" type (R/3 Release 3.1I to 4.6B) or "communication" (as of R/3 Release 4.6C). The usermust only be of the "dialog" type if you want to debug function module calls from the external program in the ABAP debugger. For the

additional authorizations required to carry out the debugging, please see Notes 905364, 668256 and 668252.

Some standard scenarios are described in the following section. For the scenarios in which a dynamic repository is used, the assumption is

made that two different types of users are used: A dedicated user, who is responsible for repository accesses, and the application users,who execute the actual RFMs of the application. This is advisable for security reasons. If you only want to use one user in the external

program, simply assign the user the union of both authorizations.

The authorization profile of the user must contain the S_RFC authorization object, whereby the fields are filled as follows:ACTVT: 16

RFC_TYPE: FUGRRFC_NAME: The list of the function groups executed below.

In the following list X is the name of the function group for which you want to call function modules.

1. Call a function module directly

(For example, using the RFC library or JCo with static repository)

Application user:

R/3 release Function groups3.1I SYST, Xas of 4.0A SYST, SYSU, X

2. Call a function module directly using tRFC or qRFC

(For example, using the RFC library or NW RFC SDK/JCo with static repository)

11/8/13 Minimum authorization profile for external RFC programs | BASIS Tutorials | SAP Techies

www.saptechies.org/minimum-authorization-profile-for-external-rfc-programs/ 3/7

and Safety Management

Telecommunications

Financial Supply ChainManagement (FIN-FSCM)

Master Data Management

Business Intelligence BI

Business Planning andConsolidation BPC

Extended WarehouseManagement EWM

Warehouse ManagementSystem WMS

Bank Analyzer

Webdynpro

Governance, Risk, andCompliance (GRC)

Business Objects

Business Objects DataServices BODS

POS DM Point-of-SaleData Management

Product LifecycleManagement PLM

Enterprise Portal (EP)

Warranty Management

Product Enhancement

Event Management

Business ByDesign

SAP FS-CD (Collectionsand Disbursements)

ERP (Enterprise ResourcePlanning)

SAP ME (SAPManufacturing Execution)

SAP Fiori

Application user:R/3 release Function groups3.1I SYST, ARFC, ERFC, Xas of 4.0A SYST, SYSU, ARFC, ERFC, X

3. Call a function module using the dynamic repositories

(For example, using NW RFC SDK, JCo, .NET Connector or Business Connector)

Application user:R/3 release Function groups3.1I SYST, X

as of 4.0A SYST, SYSU, X

Repository user:

R/3 release Function groups3.1I SYST, RFC1, SUNI4.0A to 4.5B SYST, RFC1, SYSU, SUNI, SDIF4.6A to 4.6C SYST, RFC1, SYSU, SDIF

as of 4.6D SYST, RFC1, SYSU, SDIFRUNTIME

4. Call a tRFCs or qRFCs using the dynamic repositories

(For example, using NW RFC SDK, JCo, .NET Connector or Business Connector)

Application user:R/3 release Function groups

3.1I SYST, ARFC, ERFC, Xas of 4.0A SYST, SYSU, ARFC, ERFC, X

Repository user: as in the previous point

5. Send and receive IDocs

(For example, with the SAP Java IDoc Library or the Business Connector)

Application user (for sending IDocs):R/3 release Function groups3.1I SYST, ARFC, ERFC, BD11as of 4.0A SYST, SYSU, ARFC, ERFC, EDIN

In addition, the user still requires the B_ALE_RECV authorization object, whereby the EDI_MESTYP field is filled with the list of the messagetypes of the IDocs to be processed.

Repository user:R/3 release Function groups

11/8/13 Minimum authorization profile for external RFC programs | BASIS Tutorials | SAP Techies

www.saptechies.org/minimum-authorization-profile-for-external-rfc-programs/ 4/7

3.1I SYST, RFC1, SUNI, EDI6, EDI8, EDIF

4.0A - 4.5B SYST, RFC1, SYSU, SUNI, SDIF, EDIMEXT, EDI64.6A - 4.6C SYST, RFC1, SYSU, SDIF, EDIMEXT, EDI6as of 4.6D SYST, RFC1, SYSU, SDIFRUNTIME, EDIMEXT, EDI6

The user also requires the S_IDOCDEFT authorization object, for example, using the "S_IDCDFT_DIS" authorization.

Note: If in the SAP System the auth/rfc_authority_check profile parameter has a value larger than "2", all users also require the authorization

for the SRFC function group.

Authorization check as of SAP Release 7.10As of Release 7.10 you can execute the RFC authorization check on individual function modules, instead of on entire function groups. You

can also use the procedure described above, but if you want to refine the authorization check even further, fill the fields of the S_RFCauthorization obect as follows:ACTVT: 16RFC_TYPE: FUNC

RFC_NAME: The list of the function modules executed below.

In the following section Y is the name of the function module that you want to call.1. Call a function module directly

Application user: RFCPING, SYSTEM_RESET_RFC_SERVER, Y2. Call a function module directly using tRFC or qRFC

Application user: RFCPING, SYSTEM_RESET_RFC_SERVER, API_CHECK_TID, API_CREATE_TID, API_CLEAR_TID, ARFC_DEST_SHIP,ARFC_DEST_CONFIRM, Y3.Call a function module using the dynamic repositories

Application user: RFCPING, SYSTEM_RESET_RFC_SERVER, Y

Repository user: RFCPING, SYSTEM_RESET_RFC_SERVER, RFC_GET_FUNCTION_INTERFACE, DDIF_FIELDINFO_GET4. Call a tRFCs or qRFCs using the dynamic repositories

Application user: RFCPING, SYSTEM_RESET_RFC_SERVER, API_CHECK_TID, API_CREATE_TID, API_CLEAR_TID, ARFC_DEST_SHIP,

ARFC_DEST_CONFIRM, Y

Repository user: as in the previous point5. Send and receive IDocs

Application user (for sending IDocs): RFCPING, SYSTEM_RESET_RFC_SERVER, API_CHECK_TID, API_CREATE_TID, API_CLEAR_TID,ARFC_DEST_SHIP, ARFC_DEST_CONFIRM, IDOC_INBOUND_ASYNCHRONOUS

In addition, the user still requires the B_ALE_RECV authorization object, whereby the EDI_MESTYP field is filled with the list of the message

types of the IDocs to be processed.

Repository user: RFCPING, SYSTEM_RESET_RFC_SERVER, RFC_GET_FUNCTION_INTERFACE, DDIF_FIELDINFO_GET,IDOCTYPE_READ_COMPLETE, EDI_AGREE_OUT_MESSTYPE_READ

The user also requires the S_IDOCDEFT authorization object, for example, using the "S_IDCDFT_DIS" authorization.

DocumentMGMTSolutions

www.docstar.com…

Automate to Improve

Your Business's

Workflow. Free

Scanner! View Demo.

11/8/13 Minimum authorization profile for external RFC programs | BASIS Tutorials | SAP Techies

www.saptechies.org/minimum-authorization-profile-for-external-rfc-programs/ 5/7

Submit Comment

CommentsNo Comments Posted for this Article.

Leave a commentSign up for SAPTechies

Related

► Sap Modules ► Sap Transaction ► Sap R 3 ► Sap Business One

► Sap Business One ► Sap and Java ► Sap Connector ► Sap Audit

SAP Security and Authorization Concepts

R/3 audit review questions. Here is a list of items most commonly reviewed by internal/external auditors when reviewing your R/3

system. It is always a good idea to review this list a couple...

FAQ about the Security Audit Log

Configuration [1] Question: What is the difference between static and dynamic configuration? Answer: Static configuration is used

for the ongoing storage of a Security Audit log configuration in...

How to set up Gateway logging.

You want to log the actions of the SAP Gateway. This is especially interesting if you use external programs regularly and you want

to ensure a smooth operation. Using the profile parameter...

Remote Function Call

RFCs enable you to call and execute predefined functions in a remote system . or within the same system. If you want to start

Tutorials Forum Books Interview Questions Jobs

Ask a Question!ALSO READ

Basis implementation, maintenance and upgrade.

basis PDF document

Use of VMware in SAP Basis

Basis Transaction Codes.

SAP R/3 BASIS MATERIAL

Is BASIS has good job market of ABAP?

SAP BASIS EBooks

Difference Between SAP BASIS ADMIN andCONSULTANT ..????

What is integration part with basis person withregard to status profile

Send me the links of EBooks of SAP BasisAdministration

Which institute is best for sap basis

11/8/13 Minimum authorization profile for external RFC programs | BASIS Tutorials | SAP Techies

www.saptechies.org/minimum-authorization-profile-for-external-rfc-programs/ 6/7

About | Contact Us | Terms Of Use | Terms & Conditions | RSS/Syndication | Site Map | XML Site Map | We are Hiring

Tutorials | Forum | Books | Interview Questions | Transaction Codes | Institutes | Jobs | Classifieds | News | Announcements | SAP Notes ABAP | BASIS | FI CO (Financial Accounting & Controling) | MySAP | SD (Sales and Distribution) | MM (Materials Management) | HR (Human Resource) | PP

external programs remotely, you need an RFC interface outside the SAP...

DBA Cockpit for Oracle

Overview of the new DBA Cockpit The DBA Cockpit is used in place of different transactions that were used for monitoring and

administration up to now. The DBA Cockpit include the following...

What is ERP ? What is SAP ?

What is ERP? ERP stands for Enterprise Resource Planning...

Unauthorized call of operating system command

A malicious user can execute an operating system command with a parameter string by calling a certain ABAP function because

the function does not perform any authorization checks.In SAP terminology...

SAP Purchasing Configuration Tips and Tricks

Goods Receipts/Invoice Receipts for Purchase Order Transaction OMW1 allows you to set whether the Price Control is a

mandatory "S" or "V". V indicate that you want the system to value the...

How to Check Missing Authorisation for User

How to check the missing authorisation for the user not having the option "/nsu53 ?" You can use the following procedures to

determine which authorizations a user requires to carry out a...

Find data in your SAP system and know which tables do what

Introduction Many people ask where they can find data in their SAP system. Because SAP is so often highly customised, the best

answer is "Ask your SAP system itself" Which leads on to the question...

What is the difference Between External Commands And External Programs in SAP

External commands are predefined commands for end users. They are operating-system independent and are protected by

authorizations, so that normal end users can schedule only those commands that the...

SXPG_COMMAND_EXECUTE (program_start_error) in DB13

symptom Executing a database job in DB13 terminates with the following type of error in the job log: Execution of the logical

command BRCONNECT on host <target host> Parameter: -u / -check ...

Correction and Transport System

Introduction The following CTS document is going to help each and every person who is already involved in the correction and

transport procedure of this company or wants to know about the...

What is the difference between the normal function module and BAPI function

BAPI stands for Business API(Application Program Interface). A BAPI is remotely enabled function module ie it can be invoked from

remote programs like standalone JAVA programs, web interface...

What is Current Package Level ofBasis,Application,Abap,Hr in ECC6.

Which Basis Release do I need to use SAP SmartForms?

Need SAP BASIS Notes

Questionnaire for SAP Basis offshore project

SAP BASIS CERTIFICATE

Basis Fundamentals

kernel chapter in Tadm10 book.plz send me dkernel topic

SAP, BASIS, ERP

Support Package for Basis Component

► Sap Documentation ► Sap Database ► Sap Architecture ► Sap Idoc

11/8/13 Minimum authorization profile for external RFC programs | BASIS Tutorials | SAP Techies

www.saptechies.org/minimum-authorization-profile-for-external-rfc-programs/ 7/7

(Production Planning) | Netweaver | CRM (Customer Relationship Management) | BW (Business Warehousing) | PM (Plant Maintenance) | QM (Quality Management) |PS (Project Systems) | APO (Advanced Planner & Optimizer) | XI (Exchange Infrastructure) | SCM | (Supply Chain Management) | IS (Industry Solutions) | HCM

(Human Capital Management) | CS (Customer Service) | LIS (Logistics Information System) | SRM (Supplier Relationship Management) | IM (InvestmentManagement) | EC (Enterprise Controlling) | SEM (Strategic Enterprise Management Software) TR (Treasury) | SAP GUI | SAP Office | About SAP | Business One |

HANA Oracle | Oracle SQL | Third Party | Unix | Java©2005-2013 SAPTechies. All rights reserved.