09-10-2010 6:33 AM
Greetings.
Let me describe my problem. I want to login to the system via RFC, for that I've create a special user.
BUT it's not allowed to log in there, I can do it through dialog mode but not rfc.
So if I set up SAP_ALL profile to my user (in SU01 transaction) everything works perfect. SAP_ALL are large authorities for me, I would like to know what do I need to set up to login into system ?
Thank You.
09-10-2010 7:00 AM
Hello,
Are both the systems R3? If yes, are they running on the same SAP version?
I'm asking this because prior to ECC6.0 (please correct me if i'm wrong) passwords weren't case sensitive but for later versions passwords are case sensitive. I remember there was a discussion on this topic few months back.
If your client system(source) is R3 did you check in SM59 if login to the server(destination) is possible? Is the UID & PWD maintained correctly in SM59.
BR,
Suhas
09-10-2010 7:21 AM
They're both R2, user is ok, when I add to him SAP_ALL profile I can log in.
09-10-2010 7:29 AM
R2 ?? Whatever ...
Are you able to login via SM59 without SAP-ALL profile /
09-10-2010 8:25 AM
R3, sorry, misprint.
Yes I can log in with usual sap log on, but not via SM59
Edited by: kernel.panic on Sep 10, 2010 9:25 AM
09-10-2010 8:58 AM
Hello,
I think the RFC type is 3 (since the client & server are both R3). In type '3' connection, check the "Logon & Security" tab.
Here you'll find the "Logon" block, are you sure that the details are correct ?
BR,
Suhas
09-10-2010 9:02 AM
Yes, when I change user in R3 connection with another one (who has SAP_ALL) I can log in without any problem.
09-10-2010 9:00 AM
09-10-2010 9:03 AM
Bikas, really, SAP_ALL only ?
This authority is too strong, Our basis admins may not give me that
09-10-2010 9:16 AM
Hello,
SAP_ALL is definitely not required. Ignore that !!
I cross referenced a few RFC users in my system & the auth. obj. which caught my eye was S_RFC. Check if the user you're trying to use has this auth. obj. assigned to his auth. profile.
I think the best way would be to ask your Basis team on which user to use.
BR,
Suhas
09-10-2010 9:47 AM
Thank You, but I can not determine where to add S_RFC
I'm trying to do it via su01, I don't have it in profiles.
Edited by: kernel.panic on Sep 10, 2010 10:47 AM
09-10-2010 9:54 AM
why dont you create a profile? assuming you got the authorisation to do so.
09-10-2010 9:59 AM
I do not know what should I add to this profile.
By the way, there are different types of profile:
Comp. profiles and Generated profiles, Generated profiles come from roles (when you add a role corresponding profile adds automatically )
But about com. profiles (like SAP_ALL) I know nothing, where to create it ?
09-12-2010 8:56 PM
> Thank You, but I can not determine where to add S_RFC
> I'm trying to do it via su01, I don't have it in profiles.
Why don't you go for some training? It will save you and us a lot of hassle using the trail-by-error method.
Please also use the search before you ask questions and provide infos about what you have tried after putting in some effort.
SDN is not a support mechanism. It is a discussion forum.
Cheers,
Julius
09-10-2010 10:01 AM
This is not directly related to do ABAP development, but since there has been a lot of effort already, I will ask to have the thread moved to Netweaver Security (can take a little bit).
Thomas
09-10-2010 10:05 AM
09-10-2010 4:24 PM
Now the thread has been moved I'm very afraid your issue is of the type we generally refer to as 'a basic question' and step-by-step tutorials are rarely given. If there's no one on site to help you with this issue (like a security consultant or an authorizations administrator) you are going to run into a lot more problems.
Best take a look at the [SAPhelp pages about authorizations|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/52/6714a9439b11d1896f0000e8322d00/frameset.htm] and work from there.
09-11-2010 12:47 AM
Hi ,
Your problem is very easy to resolve
most of the security documentations will have information on role
most important object to consider will be S_RFC and S_RFCACL
selection of usertype like Service/Communication/System user is essential.
Good weekend
09-12-2010 8:48 PM
Transaction ST22 in the target system is your best friend in these cases. It will give you a lot of information about the failure.
A possible explanation could be that in table PRGN_CUST you have an entry for ID = ADD_S_RFCACL and PATH = YES. The target system is expecting a "trusted" and "passwordless" connection to be established, but no user roles created in PFCG would typically introduce this authorization for object S_RFCACL so only SAP_ALL is working.
You have to use it very carefully --> i.e. you have to know what you are doing if you want to restrict it granularly on the server side of the call. You can also use a client side protection using authorization object S_ICF to classify the permissions to even start the call, regardless which application transaction the user has access to.
This also applies to developers who call destinations from their programs and use released functions in their coding.
Cheers,
Julius