Solved: login/isolate_rfc_system_calls ?

Former Member · ‎06-17-2011

All:

I am trying to get more information related to the following system parameter. SAP documentation and searchs on the marketplace/SCN are not coming up fruitful. Any help pointing me to documentation or experiences you may have had would be greately appreicated.

Thanks,

Matt

Former Member · ‎06-17-2011

Last I heard it was not released yet, so it does not do anything - hence no documentation.

I think the plan was / is to excempt internal type destinations from S_RFC checks but still check fugr SRFC.

However I suspect the application coding using destination 'NONE' needs to be changed to "space" first and the ABAP keyword "NEW TASK" needs to do the same as well.

Interesting question, but you might have to wait for a major release level before you get a definitive answer.

There is one old thread about it here in the security forum which has a few more infos.

Cheers,

Julius

Former Member · ‎06-17-2011

Last I heard it was not released yet, so it does not do anything - hence no documentation.

I think the plan was / is to excempt internal type destinations from S_RFC checks but still check fugr SRFC.

However I suspect the application coding using destination 'NONE' needs to be changed to "space" first and the ABAP keyword "NEW TASK" needs to do the same as well.

Interesting question, but you might have to wait for a major release level before you get a definitive answer.

There is one old thread about it here in the security forum which has a few more infos.

Cheers,

Julius

Former Member · ‎06-17-2011

Thanks Julius. I read that old post from 2007 stating it might be included in an update version. I wanted to check after 4 years if anything has changed or been updated to use.

Former Member · ‎06-17-2011

rfc_type FUNC has been added which is a big advantage if the FMs are not grouped correctly (from a security perspective...) and the domain knows SYST if you add it, so you have three options (FUGR being the 3rd one).

I played around with SYST as type before but did not get very far with making it mainstream usable.

I would wait for the docs and concentrate on RFC_NAME until then.

Anyway, this whole RFC security is really for "gadget guys" despite it not being that difficult if you have done it a few times ;-(

Cheers,

Julius

WolfgangJanzen · ‎06-20-2011


Thanks Julius. I read that old post from 2007 stating it might be included in an update version. I wanted to check after 4 years if anything has changed or been updated to use.

Sorry, Matt.

Situation is still unchanged. So far noone as urgently requested an implementation.

I'll consider to check on this issue after Ive returned from vacation.

Cheers, Wolfgang

(using the hotel's free of charge WLAN at the pool side)

Former Member · ‎06-20-2011


(using the hotel's free of charge WLAN at the pool side)

Is it raining?

WolfgangJanzen · ‎06-20-2011


> (using the hotel's free of charge WLAN at the pool side)

> Is it raining? 😉

No, it's damned hot here in Turkey (of course not now, during the night).

I was just taking a break (before having lunch), sitting in the shadow.

Don't worry, I'll not work during vacation - I've not brought my access card along (intentionally).

No, here it's not raining - different from Germany ...

Former Member · ‎06-20-2011

So far noone as urgently requested an implementation.
I'll consider to check on this issue after Ive returned from vacation.

So, if the first call comes from the inside then subsequent calls and tasks are "isolated".

If the first call comes from outside of the SID (also JAVA SID?) then it is not "isolated" and the S_RFC check is active?

This would be a big help, also for some dialog users... I will gladly create some requests for this.

It would be nice if the security audit log also flagged these "isolated" entries as yellow and not red intensified messages.

Cheers,

Julius

ps: Yes, it is raining here in WDF ;-(