What profile do I need to set up in login via RFC

Former Member · ‎09-10-2010

Greetings.

Let me describe my problem. I want to login to the system via RFC, for that I've create a special user.

BUT it's not allowed to log in there, I can do it through dialog mode but not rfc.

So if I set up SAP_ALL profile to my user (in SU01 transaction) everything works perfect. SAP_ALL are large authorities for me, I would like to know what do I need to set up to login into system ?

Thank You.

SuhaSaha · ‎09-10-2010

Hello,

Are both the systems R3? If yes, are they running on the same SAP version?

I'm asking this because prior to ECC6.0 (please correct me if i'm wrong) passwords weren't case sensitive but for later versions passwords are case sensitive. I remember there was a discussion on this topic few months back.

If your client system(source) is R3 did you check in SM59 if login to the server(destination) is possible? Is the UID & PWD maintained correctly in SM59.

BR,

Suhas

Former Member · ‎09-10-2010

They're both R2, user is ok, when I add to him SAP_ALL profile I can log in.

SuhaSaha · ‎09-10-2010

R2 ?? Whatever ...

Are you able to login via SM59 without SAP-ALL profile /

Former Member · ‎09-10-2010

R3, sorry, misprint.

Yes I can log in with usual sap log on, but not via SM59

Edited by: kernel.panic on Sep 10, 2010 9:25 AM

SuhaSaha · ‎09-10-2010

Hello,

I think the RFC type is 3 (since the client & server are both R3). In type '3' connection, check the "Logon & Security" tab.

Here you'll find the "Logon" block, are you sure that the details are correct ?

BR,

Suhas

Former Member · ‎09-10-2010

Yes, when I change user in R3 connection with another one (who has SAP_ALL) I can log in without any problem.

former_member182485 · ‎09-10-2010

Hi,

RFC User must have SAP_ALL to login to another system.

Regards

Bikas

Former Member · ‎09-10-2010

Bikas, really, SAP_ALL only ?

This authority is too strong, Our basis admins may not give me that

SuhaSaha · ‎09-10-2010

Hello,

SAP_ALL is definitely not required. Ignore that !!

I cross referenced a few RFC users in my system & the auth. obj. which caught my eye was S_RFC. Check if the user you're trying to use has this auth. obj. assigned to his auth. profile.

I think the best way would be to ask your Basis team on which user to use.

BR,

Suhas

Former Member · ‎09-10-2010

Thank You, but I can not determine where to add S_RFC

I'm trying to do it via su01, I don't have it in profiles.

Edited by: kernel.panic on Sep 10, 2010 10:47 AM

Former Member · ‎09-10-2010

why dont you create a profile? assuming you got the authorisation to do so.

Former Member · ‎09-10-2010

I do not know what should I add to this profile.

By the way, there are different types of profile:

Comp. profiles and Generated profiles, Generated profiles come from roles (when you add a role corresponding profile adds automatically )

But about com. profiles (like SAP_ALL) I know nothing, where to create it ?

Former Member · ‎09-12-2010

> Thank You, but I can not determine where to add S_RFC

> I'm trying to do it via su01, I don't have it in profiles.

Why don't you go for some training? It will save you and us a lot of hassle using the trail-by-error method.

Please also use the search before you ask questions and provide infos about what you have tried after putting in some effort.

SDN is not a support mechanism. It is a discussion forum.

Cheers,

Julius

ThomasZloch · ‎09-10-2010

This is not directly related to do ABAP development, but since there has been a lot of effort already, I will ask to have the thread moved to Netweaver Security (can take a little bit).

Thomas

Former Member · ‎09-10-2010

ok, sorry

jurjen_heeck · ‎09-10-2010

Now the thread has been moved I'm very afraid your issue is of the type we generally refer to as 'a basic question' and step-by-step tutorials are rarely given. If there's no one on site to help you with this issue (like a security consultant or an authorizations administrator) you are going to run into a lot more problems.

Best take a look at the [SAPhelp pages about authorizations|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/6714a9439b11d1896f0000e8322d00/frameset.htm] and work from there.

Former Member · ‎09-11-2010

Hi ,

Your problem is very easy to resolve

most of the security documentations will have information on role

most important object to consider will be S_RFC and S_RFCACL

selection of usertype like Service/Communication/System user is essential.

Good weekend

Former Member · ‎09-12-2010

Transaction ST22 in the target system is your best friend in these cases. It will give you a lot of information about the failure.

A possible explanation could be that in table PRGN_CUST you have an entry for ID = ADD_S_RFCACL and PATH = YES. The target system is expecting a "trusted" and "passwordless" connection to be established, but no user roles created in PFCG would typically introduce this authorization for object S_RFCACL so only SAP_ALL is working.

You have to use it very carefully --> i.e. you have to know what you are doing if you want to restrict it granularly on the server side of the call. You can also use a client side protection using authorization object S_ICF to classify the permissions to even start the call, regardless which application transaction the user has access to.

This also applies to developers who call destinations from their programs and use released functions in their coding.

Cheers,

Julius