- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- The authority of RFC
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
The authority of RFC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-10-2008 9:19 AM
The partner needs to access the r/3 systerm by RFC, Can I set the authority with which he can only call the allowed function modules?
Edited by: xifeng xing on Sep 10, 2008 10:20 AM
- SAP Managed Tags:
- Security,
- Integration and Certification Center
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-15-2008 5:32 PM
>
> The partner needs to access the r/3 systerm by RFC, Can I set the authority with which he can only call the allowed function modules?
>
> Edited by: xifeng xing on Sep 10, 2008 10:20 AM
Normally, you can control the RFC call at the level of the function group name using object S_RFC actvt = "16" rfc_type = "FUGR" and rfc_name = "the name of the function group to which that function module belongs".
Depending on what the function modules (plural) in that function group are designed to do, you can also:
- Restrict the application authorizations to further restrict the function modules.
- Sharpen the rfc checks to restrict the function groups.
- As of release 7.10 you can use rfc_type = "FUNC" to isolate the first 40 characters of "rfc_name" to the function module name .
Hope that helps,
Julius
- SAP Managed Tags:
- Security,
- Integration and Certification Center
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-15-2008 5:32 PM
>
> The partner needs to access the r/3 systerm by RFC, Can I set the authority with which he can only call the allowed function modules?
>
> Edited by: xifeng xing on Sep 10, 2008 10:20 AM
Normally, you can control the RFC call at the level of the function group name using object S_RFC actvt = "16" rfc_type = "FUGR" and rfc_name = "the name of the function group to which that function module belongs".
Depending on what the function modules (plural) in that function group are designed to do, you can also:
- Restrict the application authorizations to further restrict the function modules.
- Sharpen the rfc checks to restrict the function groups.
- As of release 7.10 you can use rfc_type = "FUNC" to isolate the first 40 characters of "rfc_name" to the function module name .
Hope that helps,
Julius
- SAP Managed Tags:
- Security,
- Integration and Certification Center
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2008 1:18 AM
Thx, the problem has been resolved.
Best regards ,
Xifeng
- SAP Managed Tags:
- Security,
- Integration and Certification Center
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-17-2008 9:11 AM
Happy to hear that.
Incase you are not aware, on the menu tab of PFCG (Profile Generator) there is also an option to add "Other => Function modules" to the menu of the role.
This way you can document what the RFC is capable of doing (Check indicator set) and what you actually want it to do (Proposal indicator - previously "Check/Maintain"). You do not need to assign any transaction codes (necessarily) to the RFC-able users and when you reuse the RFC in another role, it will automatically pull in the required (proposed) authorizations for the admin (only) so there is less repeated (guessing) work and invaliably tighter authorizations.
If you are not familiar with this, take a look at transaction SU24.
Cheers,
Julius
- SAP Managed Tags:
- Security,
- Integration and Certification Center
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2008 1:52 PM
I am so sorry , but I can't find the option you said in the menu of PFCG.
Thx for your attention.
Best Wishes.
Xifeng.
- SAP Managed Tags:
- Security,
- Integration and Certification Center
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2008 2:37 PM
In transaction PFCG when in change mode of a rule, there is a "Menu" tab.
Select "Authorization Default" => "Function Module". This correlates to the "Function Module" proposal indicators in transaction SU24, if set up.
Cheers,
Julius
- SAP Managed Tags:
- Security,
- Integration and Certification Center
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-21-2010 5:28 PM
Julius,
I maintained a custom RFC in SU24 and then added this RFC to the role ( as you said above - "Role Menu"-->"Authorization Default" => "Function Module". )
What I noticed in the role authorizations that the system also added RFC_TYPE=FUGR and RFC_NAME="Function group of that RFC". I want to restrict at FUNC level not FUGR level.
If the authorizaiton check at FUGR level is successfull then does the system logic also check authorizations at FUGR=FUNC level?
Any idea why the system adding more values eventhough those are not maintained in SU24?
Thanks,
Himadama
- SAP Managed Tags:
- Security,
- Integration and Certification Center
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-21-2010 7:24 PM
Back in 2008 this feature was very new, but it is reasonably mainstream now.
You just need to think about it --> SAP defaults the FUGR as type (backward compatible with existing roles in implementations) as before. If you want to use the more granular appraoch, then set the FUGR authorization to inactive and insert FUNC with the FM name into SU24 as you at that time know the FM name.
You should take care of the sequence as there is no "unmerge" function (only tricks) and the field is truncated at 40 character length.
Cheers,
Julius
- SAP Managed Tags:
- Security,
- Integration and Certification Center
