Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RFCUSER which authorization should have?

Go to solution
Former Member

‎07-28-2010 4:06 AM

0 Kudos

Hi,

Our crm gus ask me create a user name RFCUSER in our r3 system. But the gus can not tell me which authorization profile give to this user . So he ask me for SAP_ALL & SAP_NEW . Can somebody tell SAP_ALL is a sound choice? or sap has some special role for CRM integation user in r3 system?

Thanks a lot!

Terry

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎07-28-2010 4:27 AM

0 Kudos

hi Terry,

As it is new implementation, for RFCUSERS you need to give SAP_ALL / SAP_NEW in dev / QAS systems.. In these cases basis guys wont comprmise. Some time they need more than SAP_ALL.,that can added on case to case issue

User id is unquie id for all the system.

Thanks,

Sri

7 REPLIES 7

Go to solution
Former Member

‎07-28-2010 4:27 AM

0 Kudos

hi Terry,

As it is new implementation, for RFCUSERS you need to give SAP_ALL / SAP_NEW in dev / QAS systems.. In these cases basis guys wont comprmise. Some time they need more than SAP_ALL.,that can added on case to case issue

User id is unquie id for all the system.

Thanks,

Sri

Go to solution
mvoros
Active Contributor

‎07-28-2010 4:36 AM

0 Kudos

Hi,

SAP_ALL is usually not a good idea but it's really convenient Definitely check Note 338537 - RFC user authoriz. for data exchange R/3 back end <-> CRM. As it is mentioned in OSS note you can try to build a role for RFC user with limited authorizations. This can be really hard and painful. You need to ask what FMs they need to call from CRM or jsut trace RFC calls from CRM to see what is executed. You can also run trace ST01 to get authorization checks executed in these FMs.

Have a look at [this wiki|https://wiki.sdn.sap.com/wiki/display/Security/BestPractice-HowtoanalyzeandsecureRFC+connections] which is listed in memorable discussions (top thread in this forum).

Cheers

Go to solution
Former Member

‎07-28-2010 4:37 AM

0 Kudos

Hi Sri,

Thank you for your kindly reply .

Yes, we can give SAP_ALL / SAP_NEW in dev / QAS systems. But how to deal with that in our prd system?

In our prd system SAP_ALL user is not allowed.

Any idea? Thanks again!

Terry

Go to solution
Former Member
In response to Former Member

‎07-28-2010 4:54 AM

0 Kudos

Terry,

In my previuos prj we had given SAP_ALL in prod system(since they were able answer to auditors). Have a discussion with basis guys , client & security team. With approval only you procedure further....

2. Even martin advice is alo worthy. (iffs /but will always arise from basis guys)

Thanks,

Sri

Edited by: sri on Jul 28, 2010 1:53 AM

Go to solution
Bernhard_SAP
Advisor
Advisor
In response to Former Member

‎07-28-2010 6:29 AM

0 Kudos

Hi,

isn't the idea behind a 3 system landscape (TST/DEV-QAS-PRD) to be able to test scenarios and develop the fitting solutions before they are moved into PRD?

So if you assign SAP_ALL to the rfc-users in QAS you won't have achance to test delimited roles which you should assign in PRD.

There have been already some threads about this question. Please spend your time also to search before you post.

Also refer to Julius' how-to at:

https://wiki.sdn.sap.com/wiki/display/Security/BestPractice-HowtoanalyzeandsecureRFC+connections

b.rgds, Bernhard

Go to solution
Former Member

‎07-28-2010 7:11 AM

0 Kudos

Note 338537 is a good note for me.

Thanks

Go to solution
Former Member

‎07-28-2010 7:14 AM

0 Kudos

Hi all,

Thanks all for help.

We have decided to trace the needed authorization and create a new role special for the crm connection user .

And DEV QAS PRD system all using this way.

Thanks again!

terry