09-07-2011 5:00 PM
Hello,
I am trrying to establish a scenario were it is checked whether a user is allowed to execute a programme (or test a FM) that calls another SAP-System via RFC.
As described in [RFC-Securiy|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b2cce390-0201-0010-5a9f-cca08c75b6ea?quicklink=index&overridelayout=true] I have used authorization objekt S_ICF - but this seems to be checked nowhere during RFC-Calls. Could anybody help? Thanks and
Kind regards,
Holger P.
09-07-2011 6:17 PM
You will only see the check once you have maintained a value in the "authorization for destination" field, otherwise it is suppressed as it is an optional object.
Cheers,
Julius
09-07-2011 6:17 PM
You will only see the check once you have maintained a value in the "authorization for destination" field, otherwise it is suppressed as it is an optional object.
Cheers,
Julius
09-08-2011 11:02 AM
Hi,
I've already maintained value 'TEST' for our test system and 'PROD' for our productive system at our development system.
My user profile containes value 'TEST' only. But I can call both - test and productive system (from SE37 testframe / FM RFC_SYSTEM_INFO). In debugging there is no stop at any authority check for S_ICF (system debugging is active).
So this conceot seems not to work (anymore?) - or is something crucial missing (system parameters, ...)?
Kind regards,
Holger
09-08-2011 11:11 AM
Not sure if I understand what you wrote but for RFC call the user authorizations in target system are used for evaluation. So have you changed service definition in production system and what your user have in his authorization profile in production environment?
Cheers
09-08-2011 11:33 AM
Not sure if I understand what you wrote but for RFC call the user authorizations in target system are used for evaluation
Hi,
no - SAP says that S_ICF is to be used at the client (calling) side. I am just trying to follow a recommendation by SAP (see above) and by the German BSI ( [M 4.263 Absicherung von SAP Destinationen|https://www.bsi.bund.de/ContentBSI/grundschutz/kataloge/m/m04/m04263.html;jsessionid=BFBC2E352598B15FE128B751FEACB364.2_cid183] )
Kind regards,
Holger
Edited by: Holger Pakirnus on Sep 8, 2011 12:36 PM
09-08-2011 11:51 AM
Can't check it right now but [documentation|http://help.sap.com/saphelp_nw04s/helpdata/en/78/9852b7c06b11d4ad310000e83539c3/frameset.htm] for SICF says
Here you can set an authorization value for using the service.
Enter a literal of your choice (such as CHECK) to check the calleru2019s authorization for this value. The specified literal must be entered in the authorization profile of the calling user for the authorization object S_ICF. In this example, the user must have the following authorization:
It does not make sense to check authorization on client side. You can call SICF services from non SAP applications. Hence I assume that it must check profile of user that is used to execute service.
Cheers
09-08-2011 11:53 AM
I also found this [documentation|http://help.sap.com/saphelp_nw04s/helpdata/en/61/d93822a88e15489a9391f309767366/frameset.htm] that confirms my assumption.
The user in the target system must have this object in his or her authorization profile to be able to use ICF to connect to the target system.
Cheers
09-08-2011 11:54 AM
In this case it is a client side authority check for calling the server side destination.
This means you can create zones for the outbound destinations.
@ Holger: please trace your own user to see the return code?
Also, which release are you on?
Cheers,
Julius
09-08-2011 12:55 PM
Hi Julius,
thanks a lot - I am rather a programmer than an authorization expert - so I have not looked at the trace.
The check comes back with
S_ICF RC=0 tcode=SE37;ICF_FIELD=DEST;ICF_VALUE=PROD;
so everything seems to work. I will let our user admin check my roles again - guess there is another roles with this object and VALUE=*.
By the way - where is that check done? C-Kernel?
Our BASIS release is 701.
Kind regards,
Holger
09-08-2011 2:23 PM
It is checked in the ABAP application coding (see SU21 where-used-list) but also in the kernel (keyword DESTINATION will perform the check if found - from the ST01 trace you can double-click the line and at the top left hand corner you will see a "jump to source" button, which will take you to RfcControl in SAPMSSY1 if I remember correctly).
So it is not just the test frame checking it...
Cheers,
Julius