Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Manage admin users

Former Member

‎08-20-2008 4:14 PM

0 Kudos

Hi,

1. What authorizations a user needs in order to reset password of the standard users "SAP*, DDIC, J2EE_Admin, etc....."?

2.How can I add RFC authorization only for a user to be able to open an RFC connection (for testing I used to give the user SAP_ALL and he could do that.. but I'm looking for something specific... for example: rfc logon only.)

tx.

s.

6 REPLIES 6

Former Member

‎08-20-2008 5:04 PM

0 Kudos

> 1. What authorizations a user needs in order to reset password of the standard users "SAP*, DDIC, J2EE_Admin, etc....."?

Based on your other question here, you will be looking for object S_RFC activity 16 rfc_name SU_USER rfc_type FUGR. This is the entry point to start the reset request, and from release 7.10 you can tweak it even further to the function module name using rfc_type FUNC.

To complete the reset successfully, you will be looking for object S_USER_GRP activity 05 name of user group <whatever the group name is they can reset passwords for>. This will let you successfully complete the reset.

> 2.How can I add RFC authorization only for a user to be able to open an RFC connection (for testing I used to give the user SAP_ALL and he could do that.. but I'm looking for something specific... for example: rfc logon only.)

You can do that in transaction PFCG on the menu tab of the role by adding the RFC using the "Authorization Default" - this will also pull in the "use case" authorizations from SU24 in the authorizations tab.

So, now what to put in the SU24 for object S_RFC of that RFC to open the connection (because it will be greyed out in PFCG)? See SAP note 460089 for your options.

Cheers,

Julius

Former Member
In response to Former Member

‎08-21-2008 12:25 PM

0 Kudos

where can I find all these SAP notes (SAP note 460089 for example)?

(This is the first time I'm interacting with SAP)

tx

jurjen_heeck
Active Contributor
In response to Former Member

‎08-21-2008 12:27 PM

0 Kudos

> where can I find all these SAP notes (SAP note 460089 for example)?

> (This is the first time I'm interacting with SAP)

https://service.sap.com/notes

You will need an "oss account" for this.

Former Member
In response to Former Member

‎08-21-2008 1:47 PM

0 Kudos

tx man,

but how can I get the oss account?

I'm not sap customer or partner...

jurjen_heeck
Active Contributor
In response to Former Member

‎08-21-2008 1:56 PM

0 Kudos

> I'm not sap customer or partner..

In that case the company whose system you're working on should be able to provide you with one (at least for the period you're there.)

Former Member
In response to Former Member

‎08-21-2008 1:58 PM

0 Kudos

> I'm not sap customer or partner...

Then why are you developing this?

(just joking

I think it is an excellent thing that you are building a secure role with minimum authorizations to deliver together with your Java application! Some vendors / solutions don't do that or deliver a "goliath".

The relevant part of that note (while making some assumptions about your system / application) say that you will need function groups SYST and SYSU together with SU_USER for the rfc_name.

Perhaps ask one of your customers who are testing the app and role to check all other aspects of the note with you, as well as anyway tracing the call (transaction ST01) to verify what it exactly needs when the reset is called.

Cheers,

Julius