11-23-2010 1:49 PM
Hi all.
In my company development teams are trying to use SAP RFC connections in order to connect it's .NET, java, etc applications. They need a sap user to establish the connection and I don't know what authorizations (objects) I need to put in their roles in order to allow the connection estrictly to the BAPIs the need to use.
I used to put transactions on a role, but with BAPIs and function modules I don't know how to proceed. I need to create a transaction for every BAPI or FM they need?.
Thanks in advance for your help.
11-24-2010 12:32 PM
Rolls-Royce solution: Create a test frame in SE37 and execute the BAPI(s) in sequence with an ST01 trace on providing only the import parameters which you want to use and activate in them. This will influence the checks performed, so just looking in the code is not enough...
Then maintain SU24 for the BAPI (not a transaction code!) and add the BAPI to the role menu (ignore S_DEVELOP and the other usual red-herrings in the trace).
BAPIs by definition should never make an S_TCODE authority-check so you should never need to grant any.
Cheers,
Julius
11-23-2010 10:31 PM
Hi,
this [wiki|http://wiki.sdn.sap.com/wiki/display/Security/BestPractice-HowtoanalyzeandsecureRFC+connections] page a good start. Basically, there is no easy way but you can use approach with transactions. You will add transactions into role which provides same functionality (e.g. VA01 for BAPI BAPI_ SALESORDER_ CREATEFROMDAT2) plus you need to add RFC specific objects such as S_RFC. ST01 will be helpful for figuring out which authorizations are still missing.
Cheers
11-24-2010 7:20 AM
Thanks Martin for your help.
I thinks it's a good idea the aproach to transactions similar to BAPI functions. I supposed that there is no places where I can find a list of the transactions that make the same function of a BAPI, but I will try this.
The ST01 will be a nice help. I haven't used ever but I will try it to.
Many thanks for your answer.
11-24-2010 3:49 AM
Hi,
It all depends on the BAPIs that you are using. For eg: BAP_USER_CREATE1 requires authorization to S_USER* authorization objects. You may open authorization to some of the auth objects that are not required.
My recommendation would be to identify the BAPI's that are required and refer the documentation to know the required authorizations and create a role.
Rgds,
Raghu
11-24-2010 7:16 AM
Hi Raghu.
Thanks for you answer. I tryed to read the documentation about the BAPIs that are needed but at BAPI transaction I haven't see anything about this matter. I don't know if at the Marketplace should be sap notes about every BAPI we need.
I'm going to review this two options, but if you know another please let me know.
Thanks again for your help.
11-24-2010 12:15 PM
Hi Francisco,
I also join Martin with the solution. Note that all the BAPIs doesn't contain an authorization check. It is always advised to look at the documentation to identify the authorization objects that are checked, or enable ST01 trace to identify the same. ST01 will exactly help you to identify the auth objects and makes the task simpler.
Best Regards,
Raghu
11-24-2010 12:32 PM
Rolls-Royce solution: Create a test frame in SE37 and execute the BAPI(s) in sequence with an ST01 trace on providing only the import parameters which you want to use and activate in them. This will influence the checks performed, so just looking in the code is not enough...
Then maintain SU24 for the BAPI (not a transaction code!) and add the BAPI to the role menu (ignore S_DEVELOP and the other usual red-herrings in the trace).
BAPIs by definition should never make an S_TCODE authority-check so you should never need to grant any.
Cheers,
Julius
11-25-2010 12:32 PM
Thanks all for your help. I will try to play with this transactions in order to grant RFC connections with the BAPIS people need.
Thanks again.