Solved: Accessing SAP ECC6 from EP

Former Member · ‎12-22-2009

Dear All,

Our Netweaver EP developer is requesting for SAP_ALL to access sap ecc6 system.

Are there any standard role from sap to support RFC call from Netweaver AS to SAP ECC6.

in reality the requirement is only to make web based application for editing personal user information.

Thanks and Regards

Syed Saifuddin

jurjen_heeck · ‎12-22-2009

> Our Netweaver EP developer is requesting for SAP_ALL to access sap ecc6 system.

> Are there any standard role from sap to support RFC call from Netweaver AS to SAP ECC6.

Well, if it's a development system you could always mutilate a copy of sap_all so he cannot really harm the system.

Having said that, I think restricting a developers' access on a development system is like locking the doors in a house that is under construction. It will in no way improve the quality of the build and everyone will just walk around the doorframes......

If it's any other system you should ask why anyone wants to develop stuff anywhere else than on a development system.

Just my 2 Cents

Jurjen

jurjen_heeck · ‎12-22-2009

> Our Netweaver EP developer is requesting for SAP_ALL to access sap ecc6 system.

> Are there any standard role from sap to support RFC call from Netweaver AS to SAP ECC6.

Well, if it's a development system you could always mutilate a copy of sap_all so he cannot really harm the system.

Having said that, I think restricting a developers' access on a development system is like locking the doors in a house that is under construction. It will in no way improve the quality of the build and everyone will just walk around the doorframes......

If it's any other system you should ask why anyone wants to develop stuff anywhere else than on a development system.

Just my 2 Cents

Jurjen

Former Member · ‎12-22-2009

Hi Jurjen Heeck

I think my knowledge is very less so I did not express the requirement in my question.

Application built on Netweaver EP is a java web based application it can connect with Dev or Qty or Prd.

But for connecting to any system the Netweaver Server need a username in SAP.

now during development I can create a user having SAP_ALL in Development System.

Now the same application need to connect to Quality and then to Production.

So in Quality I want to restrict the user to only T-Code used in the portal application and those require for RFC communication.

I want to know is there any standard Role or T-Code so I can assign it to user to run application from EP.

Regards

Syed Saifuddin

Former Member · ‎12-22-2009

Hi Syed Saifuddin,

There are no standard roles available, however you may create a temporary ID with wide access and then trace the authorization required like S_RFC and others would be required depending on the functionality used....

Cheers !!

Zaheer

jurjen_heeck · ‎12-22-2009

> now during development I can create a user having SAP_ALL in Development System.

Yep, indeed.

> Now the same application need to connect to Quality and then to Production.

The problem is that you'll probabely not know which authorizations are needed in the backend until development is completed.

> So in Quality I want to restrict the user to only T-Code used in the portal application and those require for RFC communication.

Best talk to the developer and/or run an ST01 trace on the backend user along with the first unit tests to see which objects are checked in the background. Basically the one who develops such an application should feed you with the requirements, at least at S_TCODE level.

For the rfc connection have a look at the \*RFC\* objects and their documentation.

Jurjen

Former Member · ‎12-22-2009

The developer should build the role for the RFC connection together with the application, or contact you to build a role for it with your help.

For RFC access from one system to another, they should NOT deliver any S_TCODEs. Remote enabled function modules should by definition _ not_ perform any checks against object S_TCODE!

Cheers,

Julius

jurjen_heeck · ‎12-22-2009

> Remote enabled function modules should by definition _ not_ perform any checks against object S_TCODE!

Is this true for portal components as well? I thought they sometimes were transaction-based.

Can you point me to documentation about this?

Former Member · ‎12-22-2009

To be more specific I am getting following error on my portal page

com.sap.mw.jco.JCO$Exception: (103) RFC_ERROR_LOGON_FAILURE: User EBRAHIME has no RFC authorization for function group SYST

Regards

Syed Saifuddin

Former Member · ‎12-22-2009

Okay, this user needs a role which has

Authorization Object : S_RFC

Activity: 16

Name of the RFC object that is being protected: * (You can later on find out which all functions to be spefied here)

Type of the RFC object that is being protected: *

I Agree with Julius... If only function modules are used then it should not require S_TCODE..

Cheers !!

Zaheer

Former Member · ‎12-22-2009

> Is this true for portal components as well? I thought they sometimes were transaction-based.

I guess a transaction iView would check the tcode when launched, as would Webgui for Java via a browser... but a portal development to access the ABAP system without SAPGui attached would more likely have implemented a BAPI (by definition no S_TCODE check) and generated a web service for it in SE37 (here the check would be S_SERVICE) or called the BAPI via RFC (here the check would be S_RFC for the entry point).

The few exceptions I know of are where the function module uses a CALL SCREEN in a new mode to start the SAPGui. In this case an S_TCODE check is correct, but you should also not use it in RFC so there is still no S_TCODE object for the user. An example of this is PFCG.

Cheers,

Julius