Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

RFC security - ABAP

Former Member
0 Kudos

We did a test in our sandbox erp system setting auth/rfc_authority_check=1.

No many users are missing specific rfc_names - SYST, etc.

I am curious how others use this parameter. Can I use an asterick *? IS that bad?

Seems everytime I add a specific rfc_name another pops up.

5 REPLIES 5

Former Member
0 Kudos

There are a few hundred transactions and function modules which have proposal values maintained in SU24. If you build your roles from the menu and use these proposals and tweak them to fit your user's remote enabled needs... then your life becomes MUCH easier.

However it requires some invested time in the beginning.

Also with your setting (1) you should not be misled by the internal destinations used - primarily destination NONE is recorded in the SM20N log, but it is not reacted to in check.

I would recommend adding any of the absolute basic function groups which are needed and not of any risk to you into a "general role for all users".

Cheers,

Julius

0 Kudos

Thanks for your response. So if I understand your recommendation it is to keep going...and identify each missing rfc_name/ function group and add as I go...this is best practice? Some are verfy obscure and I cannot find documentaion. Example SFW_COMMON

0 Kudos

Yes, you can do it that way. You will get to learn the system well...

Like in this case, SFW_COMMON is used for BC sets the Switch Framework. So see who is using SFW1 to SWF5 transactions (should be very few...) but there is also mention of parallel processing in some of the fucntions so chances are good that you will find it being an internally used remote call (within the same SID) so you do not need to give this access at your current config.

If you see an RFC failing, then please check ST22 as well to see whether it really dumped. It might also "just" be a config dependent "try" to see whether there is a connection, and if not then it proceeds locally.

I am sorry, but there is no easy medication for this tricky topic, but it will settle down after a few days and you have done it once or twice.

Cheers,

Julius

Edited by: Julius Bussche on Dec 23, 2009 3:56 PM

Switch Framework corrected.

0 Kudos

Hi Julius. I see Thread: Vehicle use eform not appearing...

All those listed there is what I am missing. I am wondering where the list came from. Any ideas?

0 Kudos

That thread is about "eforms" - a webbased application which was accessing the ABAP system data using RFC.

It is not clear whether it actually was a real question...

Are you also having a mix of Switch Framework functions and HR MMS employee functions??

I recommend that you use the SM19 audit log to record the RFC calls in your system where the users are (not a sandbox where development work and testing is going on...) and expand the layout ofthe SM20N report to include the destination being called.

There is more information on how to do this in the Security Wiki (see the How to secure RFC page).

Then you will have more reliable data to work with, regardless of how your system is configured or the applications differ from those in KoserK's mind...

Cheers,

Julius