Hi Andy,

I am changing and adding objects and values, but still no luck,

What aret the RFC authorisations I may need?

Hi,

It's almost impossible to say what you will need as setup will very much dictate what is needed.

Can we now assume that if you run a trace, all the return codes = 0 and it is still not working?

Does it work if you add S_RFC = * ?

Hi Alex,

I have made the authorisation check for RFC ACCESS AS SET TO Full access. and not just EXECUTE.

In OBJECT S_RFC i have added all the values too.

I cannot find any dunps? I switched on ST01, and log into the portal but why isnt the dump registered?

If i can see the DUMP I will be able to add all the objects that are failing.

is there a way in the authorisation I can make it work unlike giving SAP_ALL, but to test it for myself, like giving it all access?

Hi Aalex

her ei sthe message

RFC_NO_AUTHORITY

im not sure what this is and what to make work?

RFC_NO_AUTHORITY is typically related to the S_RFC authorisations. Are there any batch users/system users involved in the chain who do not have the relevant auths?

If this the the case then I am surprised that it is not being picked up in ST01, do you have more than 1 application server where you might need to activate it for?

Hi Alex.

I was told to use ST05 which I will in the morning.

I am not aware of any serviers. Do i need to create a new OBJECT, or must I in the already created object R_RFC just keep adding values? thats all I have been doing? As soon as I give the user SAP_ALL, it works perfectly?

Can I not give SAP_ALL, and in the S_RFC object make it * for everything?

In my ROLE I have the following Alex

AUTHORISATION CHECK FOR RFC ACCESS

(the ACTIVITY is saying ALL ACTIVITIES)

(NAME OF THE RFC TO BE PROTECTED is saying *

(TYPE OF RFC OBJECT TO BE PROTECTED is saying ALL VALUES

There is also

CHECK AT START OF EXTERNAL SERVICES

(PROGRAM TRANSACTION OR FUNCTION

TYPE OF CHECK FLAG AUTHORITY

Im not sure whether i need other OBJECTS?

Many thanks for you help

RFC_NO_AUTHORITY is typically related to the S_RFC authorisations. Are there any batch users/system users involved in the chain who do not have the relevant auths?

If this the the case then I am surprised that it is not being picked up in ST01, do you have more than 1 application server where you might need to activate it for?

apologies Alex

you asked

Are there any batch users/system users involved in the chain who do not have the relevant auths?

How can I check this?

what if I want to make them relevant?

is this done in THE ROLE itself?

I understand that your question is marked closed, but if SAP_ALL is not to be the solution then I have a small comment:

>eforms

and

>RFC_NO_AUTHORITY

...makes it suspect for me that this is infact the lesser known client side RFC check (object S_ICF) and not it's more common server side cousin (object S_RFC). Also because no function group was mentioned.

Please activate the SM19 audit log using the dynamic profiles for successfull and failed RFC calls. Distribute it to all servers. Then run your "eform" and evaluate the log in SM20/SM20N to find the destination name. My guess is that this is actually a BSP service started via the ICF. Check in transaction SICF for an activated service by the same or similar name.

Then take a look in transaction SM59 at that RFC destination's "Login and Security" tab. Is there an "Authorization Group" value on it?

Maintaining this field in combination with object S_ICF, you can control who can call the RFC connection (invoked by the ABAP statement DESTINATION) and not which function module name or group it should be called via.

Might be worth a try.

Cheers,

Julius

Edited by: Julius Bussche on Jul 29, 2009 10:25 PM

Aside from Julius' good information, you will need to speak to your Basis or team to find out if the setup requires any different users. Sometimes this is the case with portalised content and is another thing to check for. If this is the situation then check that the user has the S_RFC auths (and S_ICF it appears) too.

Have you established that it works OK with a really wide access user?

Hi Julius,

Many thanks fo ryour good reply.

I would like to do this step by step so I dont make a mistake.

What I have done in SU01 for the user, is I have in the ROLE created a new OBJECT called

AUTHORISATION CHECK FOR ICF.

There are 2 fileds,

INTERNET COMMUNICATION FRAMEWORK

DEST Destination Authorization

PROXY System Proxy Setting

SERVICE Internet Communication Framework Service

The above are all ticked

__________ ____________________________________________________________

INTERNET COMMUNICATION FRAMEWORK

I have put a * for this one.

What else should I had in the S_ICF object?

what will my next step be?

Manually Cross-application Authorization Objects

Manually Authorization Check for ICF Access

Manually Authorization Check for RFC Access

Manually Check at Start of External Services

There is not enough information in this to know what is going on on your side.

Is there a service in the ICF and what are the logon data settings for it (or a node higher up in the hierarchy)?

Is there an RFC destination protected by an authorization group?

Have you traced the execution of the eform? What did it say?

Cheers,

Julius

Hi Julius,

I did get a trace log surprisngly, and the message was as follows this is from ST22.

Short text

User "louise" has no RFC authorization for function group

What happened?

The user "What happened?

The user "louise" attempted to execute a function module from

the function group "HRASR00_WDA_SET_GET_DATA", but does not have the

appropriate

RFC authorization.

Error in the ABAP Application Program

The current ABAP program "SAPLHRASR00_WDA_SET_GET_DATA" had to be terminated

because it has

come across a statement that unfortunately cannot be executed." attempted to execute a function module from

the function group "HRASR00_WDA_SET_GET_DATA", but does not have the

appropriate

RFC authorization.

Error in the ABAP Application Program

What can you do?

The user "louise" has no RFC authorization for the function gr

"HRASR00_WDA_SET_GET_DATA". Please contact your system administ

you

the RFC authorization for the required function groups (such as

"HRASR00_WDA_SET_GET_DATA").

The RFC authorization object is S_RFC.

If the problem persists, proceed as follows:

Note down which actions and inputs caused the error.

To process the problem further, contact you SAP system

administrator.

Using Transaction ST22 for ABAP Dump Analysis, you can look

at and manage termination messages, and you can also

keep them for a long time.

I have created an ICF object, and checked all items, and added a "CHECK" to the ICF VALUE.

and I have gone into SM59, and in the ABAP CONNECTION, under the system and under LOGON and SECURITY i have typed in there "CHECK"

But i cannot make it still work?

I am desparate to make this work, I feel with your help I am almost there, and learning alot from this.

what else could it be, or can you advice me?

Everything in that error message points towards the user having insufficient S_RFC authorisations.

In addition to the full S_RFC access (where you have * for the function groups), try giving a separate instance of the object with the actual value in the short dump. There are some situations (though I have not seen it in S_RFC) where * is evaluated a * character rather than the wildcard.

So it is a Web Dynpro ABAP application...

Without knowing what's going on there and your config, I would recommend external debugging if this is a test environment.

If it is in PROD, then consider opening a SAP customer¨message, however it might be faulty config which is not really software support necessarily...

Cheers,

Julius

Hi Alex,

what do you mean by saying.............

*try giving a separate instance of the object with the actual value in the short dump. There are some situations (though I have not seen it in S_RFC) where * is evaluated a * character rather than the wildcard.*

Sometimes * values are read as the character "*". It is not often the case, but if you have already given full S_RFC auths to the user then it is a possibility.

What you could do is add another instance of the object to a temporary role for the user containing activity 16, RFC Type = FUGR and RFC name = HRASR00_WDA_SET_GET_DATA to see if this dump still occurs when you provide the exact authorisation it is requesting.

I think I asked earlier but don't recall you providing the info, does this work when you run it with a user with very wide authorisations (e.g. SAP_ALL in your non-production system)?

Hi Alex,

let me try this.

answrering your earlier question, apologies if I never, but if I give SAP_ALL, than everything works perfectly and all my forms are loaded, as soon aS i TAKE OFF SAP_ALL, than it falls over again?

Edited by: Julius Bussche on Aug 3, 2009 11:34 AM

Sentence completed..

Hi Alex,

so it could never be anything to do with setting in SM59 or in SICF, as as soon as i give SAP_ALL to the user it all works?

I surely must be missing some kind of authorisation OBJECTS, these are the ones I have currently in the S_RFC( ACTVT) is EXECUTE. and S_RFC( RFC NAME) is showing the following OBJECTS..............

HRASR00_WDA_SET_GET_DATA

HRHAP_UI_DOCUMENT_PORTAL

HRWPC_OADP_UI

HRXSSCE

HRXSS_SER_AUTHORITHY_CHECK

HRXSS_SER_MENUCONFIG

SFW_COMMON

SWRC

SYST

HRMSS_ADDTL_SERVICES

HRMSS_EMPLOYEEPROFILE

HRMSS_PROFILEMATCHUP

HRMSS_UTIL_PROFILES

HRSSC00TRACKING

and within S_ICF, i have for the field ICF_FIELD, all values or for the specific values for

DEST Destination Authorization

PROXY System Proxy Setting

SERVICE Internet Communication Framework Service

for the ICF_VALUE its set as "*" or just a * without any other symbols.

thanks

OK, thanks for confirming that it works with SAP_ALL.

There are 2 things I would suggest doing:

1. With a wide access userID, run the process with an auth trace activated (ST01). Reconcile the list of object values checked in there against what the user has (you could use SU56).

This give you a known good user and the trace will pick up all auth checks performed on that user. You can then merge the differences into your user who is having an error.

2. To speed things up, you could assign S_RFC to your user where RFC_NAME = * to see if this gets past the problem. If it does then we will know that it is that particular object causing the problem.

Dear Alex,

I see what you mean, correct me if im wrong.

You wnat me to do the following....

The user which has SAP_ALL, I run transaction SU56 and see what objects he has got, and than I enter those objects to the user whom is having the problems?

I think that may be better option for me?

What you should do is

1. log in with SAP_ALL user

2. Switch on authorisation trace

3. Process the eform

4. Stop the trace

5. Compare the objects & values in the trace file against the user who is having the problem. You can use SU56 to easily see what auth objects and values the problem user is having.

Is that more clear?

Hi Koser,

I am gaining the impression that this is not anything real on your side with real details, possible even a real system and eform... but rather a learning excersize?

Am I correct?

Cheers,

Julius

Dear Julius,

This is a development issue im having and not a learning excercise which your indicating

goodbye

thanks

thanks Alex,

I shall undertake this and see what happens, i think I may have done it, but will test later,

Alex,

Job done! many many thanks, its was the SM59 that did it, by checking all the objects.

I appreciate your help here.

thanks for answering those questions,

10 points to you!

Ahh, I should have seen that. Missed it completely...

You just saved the object field in the missing value and then generated the SM59 authorization back again so that the function group synced itself with the eForm.

Cool. Thanks for sharing...

Cheers,

Julius

Can I ask where you got this list?

HRASR00_WDA_SET_GET_DATA

HRHAP_UI_DOCUMENT_PORTAL

HRWPC_OADP_UI

HRXSSCE

HRXSS_SER_AUTHORITHY_CHECK

HRXSS_SER_MENUCONFIG

SFW_COMMON

SWRC

SYST

HRMSS_ADDTL_SERVICES

HRMSS_EMPLOYEEPROFILE

HRMSS_PROFILEMATCHUP

HRMSS_UTIL_PROFILES

HRSSC00TRACKING

I have turned on rfc_authority_check=1 and everytime I fix one of the above another dumps. looking for another entry from your list. Thanks