on 05-14-2009 11:53 PM
I'm following the steps on my SolMgr system in the IMG and have generated the RFC to/from connections to the satellite systems. When I check the connections, I get the following error:
RFC destination SM_BIFCLNT001_READ check beginning
RFC destination SM_BIFCLNT001_READ function checked
RFC destination SM_BIFCLNT001_READ check ended
RFC destination SM_BIFCLNT001_TRUSTED check beginning
RFC destination SM_BIFCLNT001_TRUSTED function error
RFC connection SM_BIFCLNT001_TRUSTED cannot be made (No authorization to logon as trusted system (Trusted RC=2).)
Function group SCCA cannot be called in RFC system SM_BIFCLNT001_TRUSTED
RFC destination SM_BIFCLNT001_TRUSTED check ended
Using SM59, SM_BIFCLNT001_TRUSTED tested OK. RC=2 says:
RC=2: The user has no authorization in the target system (for the object S_RFCACL).
ON the destination system, tcode su01, the target user has role: SAP_S_RFCACL(status green), which should contain S_RFCACL authorization.
Detailed text on the SCCA failure says:
An RFC call of function group SCCA to RFC destination SM_BIFCLNT001_TRUSTED failed.
Procedure
Check
the RFC destination definition ( -> RFC Destinations (Display and Maintenance) ) <- OK
Network address and target machine name <- OK
System number and ID <- OK
The connection to the target system (see the log for error messages)
if there is a user in the RFC destination, whether it exists in the target system with the correct password <- same passwd.
if there is a user in the RFC destination, whether it is authorized to call function modules in function group SCCA (authorization S_RFC) in the target system. <- User on target has roles SAP_S_RFCACL and SAP_SDCCN_ALL and profiles has SAP_ALL.
if the function group SCCA is in the system. <- How do I check this?
Also, is my REFRESH_ADMIN_DATA_FROM_SUPPORT job running correctly?
Job log overview for job: REFRESH_ADMIN_DATA_FROM_SUPPORT / 08393800
-
Date | Time | Message text | Message class | Message no. | Message type |
-
05/14/2009 | 08:39:38 | Job started | 00 | 516 | S |
05/14/2009 | 08:39:38 | Step 001 started (program AI_SC_REFRESH_READ_ONLY_DATA, variant , user ID DDIC) | 00 | 550 | S |
05/14/2009 | 08:40:01 | No Businss Partners will be generated from SAP Customer numbers | AI_SC_EN | 109 | I |
05/14/2009 | 08:40:01 | No Businss Partners will be generated from SAP Customer numbers | AI_SC_EN | 109 | I |
05/14/2009 | 08:40:01 | The following error messages have been returned by SAP Support Portal: | AI_SC_EN | 207 | I |
05/14/2009 | 08:40:01 | User S000xxxxxxx - System Data Maintenance authorization not found for customer 000xxxxxxx | 00 | 001 | I |
05/14/2009 | 08:40:01 | System headers will be generated in SMSY from SAP Support Portal | AI_SC_EN | 099 | I |
05/14/2009 | 08:40:01 | No new systems found in SAP Support Portal to generate in SMSY | AI_SC_EN | 103 | I |
05/14/2009 | 08:40:01 | Job finished | 00 | 517 | S |
-
Job is marked as finished OK.
xxxxxxx is my S-user number. I assume the data was pulled over using my customer number with S-user authorization. How do I verify this? Is thes job OK?
Hi Don,
Check if the following SAP Note can help you: 128447.
Regards,
Felipe Pitta
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I followed the steps in 128447 and Trusted/trusting relationships. http://help.sap.com/saphelp_nw04/helpdata/en/8b/0010519daef443ab06d38d7ade26f4/content.htm
The later had me create a modified authorization object of Z_S_RFCACL and profile Z_S_RFCACL. I'm using the same user on client and server, so RFC_USER=' '. The new profile was added to the user's profile list. Now I have about 15 Z_S_RFCACL profiles listed. Which one is actually used?
Some of the other steps have you generating roles, of which I had previously created Z_S_RFCACL role and activated, and linked to user. Now there are Z_S_RFCACL roles and profiles. Do I need to delete this role in order for the profile Z_S_RFCACL to be effective? The SMSY trusted RFC connection tests still fails with RC=2. The SM_<SYSID>CLNT001_TRUSTED RFC connection test OK, but authorization test fails with
Error Details You are not authorized to logon to the target system (error code 0).
The SM_<SYSID>CLNT001_TRUSTED RFC was created by SMSY. It appears to be identical to the auto-gen'd RFC TRUSTING_SYSTEM@<SYSID> on client, but has the Logon client and language set under Logon tab. I'm not able to set these values in the TRUSTING_SYSTEM@<SYSID> and it fails the connection test.
Hi I had the same problem with trusted systems give the user the SAP_TRANSLATOR role, Make sure you do the user compare
Mike
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I gave the user the SAP_TRANSLATOR role, did user comparison, authorization and user light is green and saved user. While login as that user, Same problem I attempted to maintain the tRFC, uncheck the not modifiable flag. When I switch tabs, the disk icon did not highlight to show its armed. I'm not able to modify anything. except the flag. Same under tc SMT2 or SM59->Trusting Systems. I redisplayed the roles under user with SU01, Roles, authorzatons, user are all still green.
Hi Don,
This may not sound like it makes sense, but in my experience when you have trust issues, delete all related destinations in SMT1 in the SolMan and Satellite systems. This should delete all of the RFC destinations. Recreate them using tcode SMSY. Make sure that the auths are correct in your S_RFCACL role. You should be good to go.
Send me your logs if this doesn't help and I'll see what I can find.
Regards,
Bill
Edited by: William Bowman on May 27, 2009 11:42 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Is there a similar solutiion using SMT2 for trusting systems. I was able to get the TRUSTING_SYSTEM@<server> to work from SolMgr to satellite system by turning off load-balancing.
But I can not modify the tRFC for TRUSTING_SYSTEM@<server> from satellite to SolMgr system. I tried it from SMT2 to maintenance and uncheck the "Destination unmodifiable" flag, but there was no diskette icon to save. Same from SM59->TRUSTING_SYSTEM@<host>.
I had deleted the RFC from the SM59 list, but it was still known to SMT2, which did inturn, recreate the RFC. But, I still could not modify anything.
Any ideas? This issue isn't that big of a deal, since it is used for testing only(per doc). But if you know of a solution right off hand, great. Otherwise, my main issue has been resolved, the tRFCs work from SolMgr to Satellite systems.
Thanks,
Don
Don
your S-user maintained in AISUSER in association with the user with which you are logged in into Solman and or the S-user associated with user DDIC (as i could see that this job is running with step user DDIC) with which this job is scheduled, is not 'Authorized enough' on marketplace. so check this, have super admin for this OSS id.
and for trusted RFC error, you have to assign S_RFC and S_RFCACL authorization objects to the user used in the 'login credentials' of the RFC and to the user who is right now making this connection test, both in Solman and the sattelite system.
check these Notes
Note 1082010 - Administration of several customer numbers
Note 1056595 - Authorization not found for installation number
Note 172481 - System data maintenance (collective note)
Bhudev
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Don
you have assigned the new Z_S_RFCACL profile to the user, so what's the confusion ? Obviously this profile will work instead of others, right ?
and remove the same role/object/profile which you did assign earlier to this user. If still RFC not working, then you can test the RFC by choosing the option 'current user' in 'Logon & Security' tab of RFC and then login with the user with which you want to test the connection (same user which is there in satellite system too) and check the trusted connection and check 'Remote login' then. and I hope, you already check marked the option 'trusted' in sm59 solman for this rfc
Also, you must be having a TRUSTED rfc for Solman itself, test that RFC by check marking the option 'current user'
The return code you're receiving clearly indicates your authorization is not ok.
You're best of setting up the role as follows:
Z_S_RFCACL Z_S_RFCACL
Manually Cross-application Authorization Objects
Manually Authorization Check for RFC Access
Manually Authorization Check for RFC Access
Activity All activities
Name of RFC to be protected *
Type of RFC object to be prote All values
Manually Authorization Check f RFC User (for Example, Trusted System)
Manually Authorization Check f RFC User (for Example, Trusted System)
Activity All activities
RFC client or domain *
RFC same user ID All values
RFC information *
System ID (for SAP and Externa *
RFC transaction code *
RFC User (SAP or External) *
Hopefully this is clear, if not, I can send you a screenshot, if you leave your email.
Hurray, the trusted RFC between SolMgr and satellite system is now working. This is the SM_<SYSID>CLNT_<client>_TRUSTED tRFCs. The auto-created tRFC TRUSTING_SYSTEM@<SYSID> is still not working. I need to delete and re-create.
I'm a novice at the role/profiles/authorizations, but learned at lot in the past 2 weeks. One of the keys that help me troubleshoot the issue is how to locate the S_RFCACL object in the role or profile. First was to bring up the authorization via 1)su01, select user role or profile, doubleclick on role or profile. under authorization tab, display authorizations data.
Key: Now turn on technical name display (utilities-> technical names on).
Search for S_RFCACL.
Verify correct settings are set as per example in note 128447.
In my case, I had to do this on both SolMgr and satellite systems, since I don't use CUA.
I did not have a couple of values set. So set missing values and activated objects.
I also deleted any old roles from previous attempts.
No from the sm59 tRFC, I'm able to connect OK. authenticate OK, and remote-login OK on both SolMgr and satellite systems.
I need to try and get the TRUSTING_SYSTEM tRFC working.
Thanks for everyone's help.
A source of confusion for me was in note 840516-Role and profile definition.
There are 2 main steps:
- To define the roles, proceed as follows:
- To define the profiles, proceed as follows:
These main steps are one or the other, but not both. This is probably obvious to the people experienced with roles/profiles/authorizations, but was not obvious to me. The note should be updated to state that these steps are an either OR situation. You either update the role or the profile.Suppose you could do both, but then must have one or other in the user's setup. I believe at one time, I had both and that did not work (might need to be verified).
Have you created the role: Z_S_RFCACL yet?
On both SolMan and Satellite?
After you have, assign the role to an identical user on both systems.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.