Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Roles and Authorizations for RFC service user=SAP_ALL?

Former Member
0 Kudos

Dear Security Experts,

Could someone re-iterate that the RFC user type = service user (that has dialog privileges enables irrespective of the original user privileges) should have SAP_ALL in the authorization profile. Is this a good practice? If not could someone share some tried and tested roles for RFC service user (that is not SAP_ALL). The context being RFC connection between ECC and APO box with the service user being in APO that returns a screen to aN FM call from ECC.

Thanks for looking into this

Regards,

Loknath

SAP APO consultant

1 ACCEPTED SOLUTION

jurjen_heeck
Active Contributor
0 Kudos

> Could someone re-iterate that the RFC user type = service user (that has dialog privileges enables irrespective of the original user privileges) should have SAP_ALL in the authorization profile. Is this a good practice?

No, on the contrary. This kind of users generally is left behind as it tends to be difficult to pinpoint which authorizations they actually need. I have never seen any better adice than to trace them for a while and build roles based on the trace results. Do mind that some actions occur only monthly or yearly and try to incorporate those into the traced period.

4 REPLIES 4

jurjen_heeck
Active Contributor
0 Kudos

> Could someone re-iterate that the RFC user type = service user (that has dialog privileges enables irrespective of the original user privileges) should have SAP_ALL in the authorization profile. Is this a good practice?

No, on the contrary. This kind of users generally is left behind as it tends to be difficult to pinpoint which authorizations they actually need. I have never seen any better adice than to trace them for a while and build roles based on the trace results. Do mind that some actions occur only monthly or yearly and try to incorporate those into the traced period.

0 Kudos

Thanks Jurjen,

Any specific existing authorizations that you could lend..

Awarded full points.

Regards,

Loknath

0 Kudos

> Any specific existing authorizations that you could lend..

Nope, sorry. I have never taken them with me because I had to tailer them to the customers' needs every time.

Best start with a trace and talk to your interface developers to figure out the needs.

0 Kudos

> I have never seen any better adice than to trace them for a while and build roles based on the trace results.

The Rolls-Royce method is to train the developers to build integration roles for the connection users together with developing the applications and making the config for the documented use-cases for them.

This way they can test and transport both together. This is sustainable for keeping these users equiped with the authorizations which the do need.

The only other option I see is SAP_ALL or SAP_ALL minus SU01, etc... for a "temporary" period of time, which gets longer and longer.....

Usefull here is the S_RFC_ADM object, and a little tweak of their authorizations.

Cheers,

Julius