Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Note 931252 - Authority check for function group SRFC

Go to solution
Former Member

‎11-27-2009 9:04 AM

0 Kudos

Dear All,

Does anyone have experience in implementing the above mentioned note on a operational system? We have set the parameter auth/rfc_authority_check to value "9", which resulted in an endless stream of short dumps (RFC_NO_AUTHORITY) on our test system.

Apparently when the parameter is set this way, not only the function group SRFC is being checked, but also ERFC, ARFC and SYST. Are there more function groups which are checked, which were not checked before, when you set this parameter to 9?

As it turns out (almost) all users are somehow - without knowing it - using the mentioned function groups. Are there default authorizations that any user should have? We want to limit the authorizations as much as possible; if we simply give everyone broad authorizations, it doesn't make sense to set the parameter. However, we're struggling with defining exactly what they should have.

Are there logs or trace files that we could analyze to find out which user groups are using these function groups and in which way?

Any advice would be very welcome.

Kind regards

Maaike Duchateau

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎11-30-2009 8:40 AM

0 Kudos

Hi,

Thanks for the quick response.

We are now arranging the parameter to be changed back to '2'.

Our assumption was - based on the description of the parameter - that setting '2' was only for relevant if you use single sign-on for logging on to the SAPGUI. From your response I understand that this assumption was not correct as it is also relevant for internal connections. However, we are still struggling to understand what the essential differences are between different settings.

From your response understand that:

- When changing the parameter to '2' the function groups SYST, ARFC & ERFC will be checked and

- also internal connections will be checked

- When changing the parameter to '9' in addition to the ones mentioned above also function group SRFC will be checked

Did I understand correctly?

Reading the post you referred to: it indicates that a lot of users (if not all) need some authorization for S_RFC. Do you know if it is described somewhere what the minimum of authorizations are that users should have or is that depending a lot on your system configuration?

Thanks a lot for your help!

Kind regards

Maaike

3 REPLIES 3

Go to solution
Former Member

‎11-27-2009 9:50 AM

0 Kudos

Take a look at the question asked here -->

The change from 1 to 2 will activate the authority check on the additional function groups - for example when the RFC is infact a "wrapper" for another RFC calling a further destination within the target system. This means that the internal destinations (see SM59 for these NONE, BACK, appserver switching, etc) are also subject to the S_RFC check.

The change from 2 to 9 only activates the same check on FUGR SRFC.

You cannot go from 1 to 9 without passing 2..

Cheers,

Julius

Go to solution
Former Member

‎11-30-2009 8:40 AM

0 Kudos

Hi,

Thanks for the quick response.

We are now arranging the parameter to be changed back to '2'.

Our assumption was - based on the description of the parameter - that setting '2' was only for relevant if you use single sign-on for logging on to the SAPGUI. From your response I understand that this assumption was not correct as it is also relevant for internal connections. However, we are still struggling to understand what the essential differences are between different settings.

From your response understand that:

- When changing the parameter to '2' the function groups SYST, ARFC & ERFC will be checked and

- also internal connections will be checked

- When changing the parameter to '9' in addition to the ones mentioned above also function group SRFC will be checked

Did I understand correctly?

Reading the post you referred to: it indicates that a lot of users (if not all) need some authorization for S_RFC. Do you know if it is described somewhere what the minimum of authorizations are that users should have or is that depending a lot on your system configuration?

Thanks a lot for your help!

Kind regards

Maaike

Go to solution
Former Member
In response to Former Member

‎11-30-2009 9:42 AM

0 Kudos

May I ask why you are making these changes? Are you using trusted RFC? There are different configuration options depending on your security needs and evaluation of the risks. Without being able to do that, I would recommend sticking to the defaults...

> - When changing the parameter to '2' the function groups SYST, ARFC & ERFC will be checked and

No, all FUGRs will be checked, if...

> - also internal connections will be checked

... the FM is called via an internal destination as well.

> - When changing the parameter to '9' in addition to the ones mentioned above also function group SRFC will be checked

Yes, in addition to all of the ones potentially checked above (depending on how it is called).

> Reading the post you referred to: it indicates that a lot of users (if not all) need some authorization for S_RFC.

Yes, if you set it to 2 (which is most of the work) or 9 (which is not much additional work at all) then they will all need a little bit of S_RFC. Even with 1 they will need a little bit of S_RFC for some lists, ESS, etc.

> Do you know if it is described somewhere what the minimum of authorizations are that users should have or is that depending a lot on your system configuration?

Take a look into [SAP Note 460089|https://service.sap.com/sap/support/notes/460089] for a good starting point. It is dependent on the configuration.

Cheers,

Julius