12-22-2009 9:48 AM
Dear All,
Our Netweaver EP developer is requesting for SAP_ALL to access sap ecc6 system.
Are there any standard role from sap to support RFC call from Netweaver AS to SAP ECC6.
in reality the requirement is only to make web based application for editing personal user information.
Thanks and Regards
Syed Saifuddin
12-22-2009 9:55 AM
> Our Netweaver EP developer is requesting for SAP_ALL to access sap ecc6 system.
> Are there any standard role from sap to support RFC call from Netweaver AS to SAP ECC6.
Well, if it's a development system you could always mutilate a copy of sap_all so he cannot really harm the system.
Having said that, I think restricting a developers' access on a development system is like locking the doors in a house that is under construction. It will in no way improve the quality of the build and everyone will just walk around the doorframes......
If it's any other system you should ask why anyone wants to develop stuff anywhere else than on a development system.
Just my 2 Cents
Jurjen
12-22-2009 9:55 AM
> Our Netweaver EP developer is requesting for SAP_ALL to access sap ecc6 system.
> Are there any standard role from sap to support RFC call from Netweaver AS to SAP ECC6.
Well, if it's a development system you could always mutilate a copy of sap_all so he cannot really harm the system.
Having said that, I think restricting a developers' access on a development system is like locking the doors in a house that is under construction. It will in no way improve the quality of the build and everyone will just walk around the doorframes......
If it's any other system you should ask why anyone wants to develop stuff anywhere else than on a development system.
Just my 2 Cents
Jurjen
12-22-2009 10:12 AM
Hi Jurjen Heeck
I think my knowledge is very less so I did not express the requirement in my question.
Application built on Netweaver EP is a java web based application it can connect with Dev or Qty or Prd.
But for connecting to any system the Netweaver Server need a username in SAP.
now during development I can create a user having SAP_ALL in Development System.
Now the same application need to connect to Quality and then to Production.
So in Quality I want to restrict the user to only T-Code used in the portal application and those require for RFC communication.
I want to know is there any standard Role or T-Code so I can assign it to user to run application from EP.
Regards
Syed Saifuddin
12-22-2009 10:17 AM
Hi Syed Saifuddin,
There are no standard roles available, however you may create a temporary ID with wide access and then trace the authorization required like S_RFC and others would be required depending on the functionality used....
Cheers !!
Zaheer
12-22-2009 10:21 AM
> now during development I can create a user having SAP_ALL in Development System.
Yep, indeed.
> Now the same application need to connect to Quality and then to Production.
The problem is that you'll probabely not know which authorizations are needed in the backend until development is completed.
> So in Quality I want to restrict the user to only T-Code used in the portal application and those require for RFC communication.
Best talk to the developer and/or run an ST01 trace on the backend user along with the first unit tests to see which objects are checked in the background. Basically the one who develops such an application should feed you with the requirements, at least at S_TCODE level.
For the rfc connection have a look at the \*RFC\* objects and their documentation.
Jurjen
12-22-2009 10:29 AM
The developer should build the role for the RFC connection together with the application, or contact you to build a role for it with your help.
For RFC access from one system to another, they should NOT deliver any S_TCODEs. Remote enabled function modules should by definition _ not_ perform any checks against object S_TCODE!
Cheers,
Julius
12-22-2009 10:37 AM
> Remote enabled function modules should by definition _ not_ perform any checks against object S_TCODE!
Is this true for portal components as well? I thought they sometimes were transaction-based.
Can you point me to documentation about this?
12-22-2009 10:43 AM
To be more specific I am getting following error on my portal page
com.sap.mw.jco.JCO$Exception: (103) RFC_ERROR_LOGON_FAILURE: User EBRAHIME has no RFC authorization for function group SYST
Regards
Syed Saifuddin
12-22-2009 10:49 AM
Okay, this user needs a role which has
Authorization Object : S_RFC
Activity: 16
Name of the RFC object that is being protected: * (You can later on find out which all functions to be spefied here)
Type of the RFC object that is being protected: *
I Agree with Julius... If only function modules are used then it should not require S_TCODE..
Cheers !!
Zaheer
12-22-2009 1:22 PM
> Is this true for portal components as well? I thought they sometimes were transaction-based.
I guess a transaction iView would check the tcode when launched, as would Webgui for Java via a browser... but a portal development to access the ABAP system without SAPGui attached would more likely have implemented a BAPI (by definition no S_TCODE check) and generated a web service for it in SE37 (here the check would be S_SERVICE) or called the BAPI via RFC (here the check would be S_RFC for the entry point).
The few exceptions I know of are where the function module uses a CALL SCREEN in a new mode to start the SAPGui. In this case an S_TCODE check is correct, but you should also not use it in RFC so there is still no S_TCODE object for the user. An example of this is PFCG.
Cheers,
Julius