Upload
brian-cleveland
View
752
Download
16
Embed Size (px)
DESCRIPTION
Minimum authorization profile for external RFC programs _ BASIS Tutorials _ SAP Techies
Citation preview
11/8/13 Minimum authorization profile for external RFC programs | BASIS Tutorials | SAP Techies
www.saptechies.org/minimum-authorization-profile-for-external-rfc-programs/ 1/7
3.9kLike
138 WriteNew User?
Home Tutorials Answers BooksInterview
Questions
Transaction
Codes
Courses &
InstitutesJobs Classifieds News Announcements
SAP BASIS
TutorialsBASIS
ForumsBASIS
BooksBASIS
Interview QuestionsBASIS
Transaction CodesBASIS
SAP BASIS TrainingInstitute
SAP BASIS Jobs
SAP R/3
ABAP
BASIS
FICO (FinancialAccounting & Controling)
Business One
EC (EnterpriseControlling)
TR (Treasury)
IM (InvestmentManagement)
HR (Human Resource)
SD (Sales andDistribution)
Logistics InformationSystem
MM (MaterialsManagement)
Minimum authorization profile for external RFC programs
By: rekha | Google | 12 Aug 2010 7:21 am | 4642 times viewed | 0 Comments
In the RFC communication between an external program and an SAP system,you want to use a user who only has authorizations in the SAP system that areabsolutely necessary. Depending on the technology that your program uses forcommunication, the release of the attached R/3 or SAP system and the type ofthe calls that you want to execute, the SAP user set in the external programrequires different authorizations.For the sake of clarity, these authorizations are summarized in this note.
Reason and Prerequisites
External programs can essentially use the following technologies for RFCcommunication:
1. RFC SDK (C/C++)
2. NW RFC SDK (C/C++)
3. Java Connector (Java)
4. .NET Connector (C#)
5. Business Connector (XML,HTTP,FTP or SMTP interface )
Most of these components provide a repository service, which dynamically reads the interface definition of a remote-enabled function module
List Your Institute & Course
0 Tweet 0
Post your Article
Home » Tutorials » BASIS
Search e.g. SAP ABAPAll
SAP Courses & Collegeswww.Shiksha.com/SAP-Courses
Find Top SAP Institutes in India. Get Info on Courses,Admision,Fees.
ShareLike 0483
Resigter Login
11/8/13 Minimum authorization profile for external RFC programs | BASIS Tutorials | SAP Techies
www.saptechies.org/minimum-authorization-profile-for-external-rfc-programs/ 2/7
PM (Plant Maintenance)
PP (Production Planning)
QM (Quality Management)
BW (BusinessWarehousing)
IS (Industry Solutions)
CS (Customer Service)
PS (Project Systems)
SEM (Strategic EnterpriseManagement Software)
CRM (CustomerRelationship Management)
SCM (SAP Supply ChainManagement)
Netweaver
SRM (SupplierRelationship Management)
About SAP
Exchange InfrastructureSAP XI
Advanced Planner andOptimizer (SAP APO)
Unix
Oracle
Oracle SQL
Third Party
Java
SAP GUI
HCM Human CapitalManagement
SAP Office
Mobile
HANA
MySAP
OrganisationalManagement
Integration Server
EHS Environment, Health,
(abbreviated as RFM) from the ABAP Data Dictionary. This service in turn calls several function modules in the ABAP application serverinternally. For this reason it requires specific authorizations in function groups.
Solution
Firstly some general comments:
* You can use the auth/rfc_authority_check=0 profile parameter to deactivate the authorization check in the RFC. This is set by default in allR/3 releases up to and including Release 3.1l. To protect the system against unauthorized RFC accesses, you should check that this
parameter is set to at least 1.
* In Releases 3.1I to 4.6D there were some bugs at the beginning in the RFC authorization check. Ensure that your R/3 kernel has at least
the patch level referred to in Note 93254.
* Some application function modules and BAPIs perform an internal check again for a "business" authorization object. In this case theuser, who wants to execute the RFC call, must also have authorization for this "application authorization object" as well as the "technical"
authorizations described in the following section.
* If the module that you called wants to execute a transaction code, the user also requires the S_TCODE authorization object (with therelevant transaction codes). If you start a report within the module, the user also requires the S_PROGRAM authorization object (with the
relevant program groups).
* In general it is sufficient if the user is of the "CPIC" type (R/3 Release 3.1I to 4.6B) or "communication" (as of R/3 Release 4.6C). The usermust only be of the "dialog" type if you want to debug function module calls from the external program in the ABAP debugger. For the
additional authorizations required to carry out the debugging, please see Notes 905364, 668256 and 668252.
Some standard scenarios are described in the following section. For the scenarios in which a dynamic repository is used, the assumption is
made that two different types of users are used: A dedicated user, who is responsible for repository accesses, and the application users,who execute the actual RFMs of the application. This is advisable for security reasons. If you only want to use one user in the external
program, simply assign the user the union of both authorizations.
The authorization profile of the user must contain the S_RFC authorization object, whereby the fields are filled as follows:ACTVT: 16
RFC_TYPE: FUGRRFC_NAME: The list of the function groups executed below.
In the following list X is the name of the function group for which you want to call function modules.
1. Call a function module directly
(For example, using the RFC library or JCo with static repository)
Application user:
R/3 release Function groups3.1I SYST, Xas of 4.0A SYST, SYSU, X
2. Call a function module directly using tRFC or qRFC
(For example, using the RFC library or NW RFC SDK/JCo with static repository)
11/8/13 Minimum authorization profile for external RFC programs | BASIS Tutorials | SAP Techies
www.saptechies.org/minimum-authorization-profile-for-external-rfc-programs/ 3/7
and Safety Management
Telecommunications
Financial Supply ChainManagement (FIN-FSCM)
Master Data Management
Business Intelligence BI
Business Planning andConsolidation BPC
Extended WarehouseManagement EWM
Warehouse ManagementSystem WMS
Bank Analyzer
Webdynpro
Governance, Risk, andCompliance (GRC)
Business Objects
Business Objects DataServices BODS
POS DM Point-of-SaleData Management
Product LifecycleManagement PLM
Enterprise Portal (EP)
Warranty Management
Product Enhancement
Event Management
Business ByDesign
SAP FS-CD (Collectionsand Disbursements)
ERP (Enterprise ResourcePlanning)
SAP ME (SAPManufacturing Execution)
SAP Fiori
Application user:R/3 release Function groups3.1I SYST, ARFC, ERFC, Xas of 4.0A SYST, SYSU, ARFC, ERFC, X
3. Call a function module using the dynamic repositories
(For example, using NW RFC SDK, JCo, .NET Connector or Business Connector)
Application user:R/3 release Function groups3.1I SYST, X
as of 4.0A SYST, SYSU, X
Repository user:
R/3 release Function groups3.1I SYST, RFC1, SUNI4.0A to 4.5B SYST, RFC1, SYSU, SUNI, SDIF4.6A to 4.6C SYST, RFC1, SYSU, SDIF
as of 4.6D SYST, RFC1, SYSU, SDIFRUNTIME
4. Call a tRFCs or qRFCs using the dynamic repositories
(For example, using NW RFC SDK, JCo, .NET Connector or Business Connector)
Application user:R/3 release Function groups
3.1I SYST, ARFC, ERFC, Xas of 4.0A SYST, SYSU, ARFC, ERFC, X
Repository user: as in the previous point
5. Send and receive IDocs
(For example, with the SAP Java IDoc Library or the Business Connector)
Application user (for sending IDocs):R/3 release Function groups3.1I SYST, ARFC, ERFC, BD11as of 4.0A SYST, SYSU, ARFC, ERFC, EDIN
In addition, the user still requires the B_ALE_RECV authorization object, whereby the EDI_MESTYP field is filled with the list of the messagetypes of the IDocs to be processed.
Repository user:R/3 release Function groups
11/8/13 Minimum authorization profile for external RFC programs | BASIS Tutorials | SAP Techies
www.saptechies.org/minimum-authorization-profile-for-external-rfc-programs/ 4/7
3.1I SYST, RFC1, SUNI, EDI6, EDI8, EDIF
4.0A - 4.5B SYST, RFC1, SYSU, SUNI, SDIF, EDIMEXT, EDI64.6A - 4.6C SYST, RFC1, SYSU, SDIF, EDIMEXT, EDI6as of 4.6D SYST, RFC1, SYSU, SDIFRUNTIME, EDIMEXT, EDI6
The user also requires the S_IDOCDEFT authorization object, for example, using the "S_IDCDFT_DIS" authorization.
Note: If in the SAP System the auth/rfc_authority_check profile parameter has a value larger than "2", all users also require the authorization
for the SRFC function group.
Authorization check as of SAP Release 7.10As of Release 7.10 you can execute the RFC authorization check on individual function modules, instead of on entire function groups. You
can also use the procedure described above, but if you want to refine the authorization check even further, fill the fields of the S_RFCauthorization obect as follows:ACTVT: 16RFC_TYPE: FUNC
RFC_NAME: The list of the function modules executed below.
In the following section Y is the name of the function module that you want to call.1. Call a function module directly
Application user: RFCPING, SYSTEM_RESET_RFC_SERVER, Y2. Call a function module directly using tRFC or qRFC
Application user: RFCPING, SYSTEM_RESET_RFC_SERVER, API_CHECK_TID, API_CREATE_TID, API_CLEAR_TID, ARFC_DEST_SHIP,ARFC_DEST_CONFIRM, Y3.Call a function module using the dynamic repositories
Application user: RFCPING, SYSTEM_RESET_RFC_SERVER, Y
Repository user: RFCPING, SYSTEM_RESET_RFC_SERVER, RFC_GET_FUNCTION_INTERFACE, DDIF_FIELDINFO_GET4. Call a tRFCs or qRFCs using the dynamic repositories
Application user: RFCPING, SYSTEM_RESET_RFC_SERVER, API_CHECK_TID, API_CREATE_TID, API_CLEAR_TID, ARFC_DEST_SHIP,
ARFC_DEST_CONFIRM, Y
Repository user: as in the previous point5. Send and receive IDocs
Application user (for sending IDocs): RFCPING, SYSTEM_RESET_RFC_SERVER, API_CHECK_TID, API_CREATE_TID, API_CLEAR_TID,ARFC_DEST_SHIP, ARFC_DEST_CONFIRM, IDOC_INBOUND_ASYNCHRONOUS
In addition, the user still requires the B_ALE_RECV authorization object, whereby the EDI_MESTYP field is filled with the list of the message
types of the IDocs to be processed.
Repository user: RFCPING, SYSTEM_RESET_RFC_SERVER, RFC_GET_FUNCTION_INTERFACE, DDIF_FIELDINFO_GET,IDOCTYPE_READ_COMPLETE, EDI_AGREE_OUT_MESSTYPE_READ
The user also requires the S_IDOCDEFT authorization object, for example, using the "S_IDCDFT_DIS" authorization.
DocumentMGMTSolutions
www.docstar.com…
Automate to Improve
Your Business's
Workflow. Free
Scanner! View Demo.
11/8/13 Minimum authorization profile for external RFC programs | BASIS Tutorials | SAP Techies
www.saptechies.org/minimum-authorization-profile-for-external-rfc-programs/ 5/7
Submit Comment
CommentsNo Comments Posted for this Article.
Leave a commentSign up for SAPTechies
Related
► Sap Modules ► Sap Transaction ► Sap R 3 ► Sap Business One
► Sap Business One ► Sap and Java ► Sap Connector ► Sap Audit
SAP Security and Authorization Concepts
R/3 audit review questions. Here is a list of items most commonly reviewed by internal/external auditors when reviewing your R/3
system. It is always a good idea to review this list a couple...
FAQ about the Security Audit Log
Configuration [1] Question: What is the difference between static and dynamic configuration? Answer: Static configuration is used
for the ongoing storage of a Security Audit log configuration in...
How to set up Gateway logging.
You want to log the actions of the SAP Gateway. This is especially interesting if you use external programs regularly and you want
to ensure a smooth operation. Using the profile parameter...
Remote Function Call
RFCs enable you to call and execute predefined functions in a remote system . or within the same system. If you want to start
Tutorials Forum Books Interview Questions Jobs
Ask a Question!ALSO READ
Basis implementation, maintenance and upgrade.
basis PDF document
Use of VMware in SAP Basis
Basis Transaction Codes.
SAP R/3 BASIS MATERIAL
Is BASIS has good job market of ABAP?
SAP BASIS EBooks
Difference Between SAP BASIS ADMIN andCONSULTANT ..????
What is integration part with basis person withregard to status profile
Send me the links of EBooks of SAP BasisAdministration
Which institute is best for sap basis
11/8/13 Minimum authorization profile for external RFC programs | BASIS Tutorials | SAP Techies
www.saptechies.org/minimum-authorization-profile-for-external-rfc-programs/ 6/7
About | Contact Us | Terms Of Use | Terms & Conditions | RSS/Syndication | Site Map | XML Site Map | We are Hiring
Tutorials | Forum | Books | Interview Questions | Transaction Codes | Institutes | Jobs | Classifieds | News | Announcements | SAP Notes ABAP | BASIS | FI CO (Financial Accounting & Controling) | MySAP | SD (Sales and Distribution) | MM (Materials Management) | HR (Human Resource) | PP
external programs remotely, you need an RFC interface outside the SAP...
DBA Cockpit for Oracle
Overview of the new DBA Cockpit The DBA Cockpit is used in place of different transactions that were used for monitoring and
administration up to now. The DBA Cockpit include the following...
What is ERP ? What is SAP ?
What is ERP? ERP stands for Enterprise Resource Planning...
Unauthorized call of operating system command
A malicious user can execute an operating system command with a parameter string by calling a certain ABAP function because
the function does not perform any authorization checks.In SAP terminology...
SAP Purchasing Configuration Tips and Tricks
Goods Receipts/Invoice Receipts for Purchase Order Transaction OMW1 allows you to set whether the Price Control is a
mandatory "S" or "V". V indicate that you want the system to value the...
How to Check Missing Authorisation for User
How to check the missing authorisation for the user not having the option "/nsu53 ?" You can use the following procedures to
determine which authorizations a user requires to carry out a...
Find data in your SAP system and know which tables do what
Introduction Many people ask where they can find data in their SAP system. Because SAP is so often highly customised, the best
answer is "Ask your SAP system itself" Which leads on to the question...
What is the difference Between External Commands And External Programs in SAP
External commands are predefined commands for end users. They are operating-system independent and are protected by
authorizations, so that normal end users can schedule only those commands that the...
SXPG_COMMAND_EXECUTE (program_start_error) in DB13
symptom Executing a database job in DB13 terminates with the following type of error in the job log: Execution of the logical
command BRCONNECT on host <target host> Parameter: -u / -check ...
Correction and Transport System
Introduction The following CTS document is going to help each and every person who is already involved in the correction and
transport procedure of this company or wants to know about the...
What is the difference between the normal function module and BAPI function
BAPI stands for Business API(Application Program Interface). A BAPI is remotely enabled function module ie it can be invoked from
remote programs like standalone JAVA programs, web interface...
What is Current Package Level ofBasis,Application,Abap,Hr in ECC6.
Which Basis Release do I need to use SAP SmartForms?
Need SAP BASIS Notes
Questionnaire for SAP Basis offshore project
SAP BASIS CERTIFICATE
Basis Fundamentals
kernel chapter in Tadm10 book.plz send me dkernel topic
SAP, BASIS, ERP
Support Package for Basis Component
► Sap Documentation ► Sap Database ► Sap Architecture ► Sap Idoc
11/8/13 Minimum authorization profile for external RFC programs | BASIS Tutorials | SAP Techies
www.saptechies.org/minimum-authorization-profile-for-external-rfc-programs/ 7/7
(Production Planning) | Netweaver | CRM (Customer Relationship Management) | BW (Business Warehousing) | PM (Plant Maintenance) | QM (Quality Management) |PS (Project Systems) | APO (Advanced Planner & Optimizer) | XI (Exchange Infrastructure) | SCM | (Supply Chain Management) | IS (Industry Solutions) | HCM
(Human Capital Management) | CS (Customer Service) | LIS (Logistics Information System) | SRM (Supplier Relationship Management) | IM (InvestmentManagement) | EC (Enterprise Controlling) | SEM (Strategic Enterprise Management Software) TR (Treasury) | SAP GUI | SAP Office | About SAP | Business One |
HANA Oracle | Oracle SQL | Third Party | Unix | Java©2005-2013 SAPTechies. All rights reserved.