07-28-2010 4:06 AM
Hi,
Our crm gus ask me create a user name RFCUSER in our r3 system. But the gus can not tell me which authorization profile give to this user . So he ask me for SAP_ALL & SAP_NEW . Can somebody tell SAP_ALL is a sound choice? or sap has some special role for CRM integation user in r3 system?
Thanks a lot!
Terry
07-28-2010 4:27 AM
hi Terry,
As it is new implementation, for RFCUSERS you need to give SAP_ALL / SAP_NEW in dev / QAS systems.. In these cases basis guys wont comprmise. Some time they need more than SAP_ALL.,that can added on case to case issue
User id is unquie id for all the system.
Thanks,
Sri
07-28-2010 4:27 AM
hi Terry,
As it is new implementation, for RFCUSERS you need to give SAP_ALL / SAP_NEW in dev / QAS systems.. In these cases basis guys wont comprmise. Some time they need more than SAP_ALL.,that can added on case to case issue
User id is unquie id for all the system.
Thanks,
Sri
07-28-2010 4:36 AM
Hi,
SAP_ALL is usually not a good idea but it's really convenient Definitely check Note 338537 - RFC user authoriz. for data exchange R/3 back end <-> CRM. As it is mentioned in OSS note you can try to build a role for RFC user with limited authorizations. This can be really hard and painful. You need to ask what FMs they need to call from CRM or jsut trace RFC calls from CRM to see what is executed. You can also run trace ST01 to get authorization checks executed in these FMs.
Have a look at [this wiki|https://wiki.sdn.sap.com/wiki/display/Security/BestPractice-HowtoanalyzeandsecureRFC+connections] which is listed in memorable discussions (top thread in this forum).
Cheers
07-28-2010 4:37 AM
Hi Sri,
Thank you for your kindly reply .
Yes, we can give SAP_ALL / SAP_NEW in dev / QAS systems. But how to deal with that in our prd system?
In our prd system SAP_ALL user is not allowed.
Any idea? Thanks again!
Terry
07-28-2010 4:54 AM
Terry,
In my previuos prj we had given SAP_ALL in prod system(since they were able answer to auditors). Have a discussion with basis guys , client & security team. With approval only you procedure further....
2. Even martin advice is alo worthy. (iffs /but will always arise from basis guys)
Thanks,
Sri
Edited by: sri on Jul 28, 2010 1:53 AM
07-28-2010 6:29 AM
Hi,
isn't the idea behind a 3 system landscape (TST/DEV-QAS-PRD) to be able to test scenarios and develop the fitting solutions before they are moved into PRD?
So if you assign SAP_ALL to the rfc-users in QAS you won't have achance to test delimited roles which you should assign in PRD.
There have been already some threads about this question. Please spend your time also to search before you post.
Also refer to Julius' how-to at:
https://wiki.sdn.sap.com/wiki/display/Security/BestPractice-HowtoanalyzeandsecureRFC+connections
b.rgds, Bernhard
07-28-2010 7:11 AM
07-28-2010 7:14 AM
Hi all,
Thanks all for help.
We have decided to trace the needed authorization and create a new role special for the crm connection user .
And DEV QAS PRD system all using this way.
Thanks again!
terry