Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

S_ICF to check authorization to call RFC-SYS

Go to solution
Former Member

‎09-07-2011 5:00 PM

0 Kudos

Hello,

I am trrying to establish a scenario were it is checked whether a user is allowed to execute a programme (or test a FM) that calls another SAP-System via RFC.

As described in [RFC-Securiy|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b2cce390-0201-0010-5a9f-cca08c75b6ea?quicklink=index&overridelayout=true] I have used authorization objekt S_ICF - but this seems to be checked nowhere during RFC-Calls. Could anybody help? Thanks and

Kind regards,

Holger P.

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎09-07-2011 6:17 PM

0 Kudos

You will only see the check once you have maintained a value in the "authorization for destination" field, otherwise it is suppressed as it is an optional object.

Cheers,

Julius

9 REPLIES 9

Go to solution
Former Member

‎09-07-2011 6:17 PM

0 Kudos

You will only see the check once you have maintained a value in the "authorization for destination" field, otherwise it is suppressed as it is an optional object.

Cheers,

Julius

Go to solution
Former Member
In response to Former Member

‎09-08-2011 11:02 AM

0 Kudos

Hi,

I've already maintained value 'TEST' for our test system and 'PROD' for our productive system at our development system.

My user profile containes value 'TEST' only. But I can call both - test and productive system (from SE37 testframe / FM RFC_SYSTEM_INFO). In debugging there is no stop at any authority check for S_ICF (system debugging is active).

So this conceot seems not to work (anymore?) - or is something crucial missing (system parameters, ...)?

Kind regards,

Holger

Go to solution
martin_voros
Active Contributor
In response to Former Member

‎09-08-2011 11:11 AM

0 Kudos

Not sure if I understand what you wrote but for RFC call the user authorizations in target system are used for evaluation. So have you changed service definition in production system and what your user have in his authorization profile in production environment?

Cheers

Go to solution
Former Member
In response to Former Member

‎09-08-2011 11:33 AM

0 Kudos

Not sure if I understand what you wrote but for RFC call the user authorizations in target system are used for evaluation

Hi,

no - SAP says that S_ICF is to be used at the client (calling) side. I am just trying to follow a recommendation by SAP (see above) and by the German BSI ( [M 4.263 Absicherung von SAP Destinationen|https://www.bsi.bund.de/ContentBSI/grundschutz/kataloge/m/m04/m04263.html;jsessionid=BFBC2E352598B15FE128B751FEACB364.2_cid183] )

Kind regards,

Holger

Edited by: Holger Pakirnus on Sep 8, 2011 12:36 PM

Go to solution
martin_voros
Active Contributor
In response to Former Member

‎09-08-2011 11:51 AM

0 Kudos

Can't check it right now but [documentation|http://help.sap.com/saphelp_nw04s/helpdata/en/78/9852b7c06b11d4ad310000e83539c3/frameset.htm] for SICF says 

Here you can set an authorization value for using the service.
Enter a literal of your choice (such as CHECK) to check the calleru2019s authorization for this value. The specified literal must be entered in the authorization profile of the calling user for the authorization object S_ICF. In this example, the user must have the following authorization:

It does not make sense to check authorization on client side. You can call SICF services from non SAP applications. Hence I assume that it must check profile of user that is used to execute service.

Cheers

Go to solution
martin_voros
Active Contributor
In response to Former Member

‎09-08-2011 11:53 AM

0 Kudos

I also found this [documentation|http://help.sap.com/saphelp_nw04s/helpdata/en/61/d93822a88e15489a9391f309767366/frameset.htm] that confirms my assumption.

The user in the target system must have this object in his or her authorization profile to be able to use ICF to connect to the target system.

Cheers

Go to solution
Former Member
In response to Former Member

‎09-08-2011 11:54 AM

0 Kudos

In this case it is a client side authority check for calling the server side destination.

This means you can create zones for the outbound destinations.

@ Holger: please trace your own user to see the return code?

Also, which release are you on?

Cheers,

Julius

Go to solution
Former Member
In response to Former Member

‎09-08-2011 12:55 PM

0 Kudos

Hi Julius,

thanks a lot - I am rather a programmer than an authorization expert - so I have not looked at the trace.

The check comes back with

S_ICF RC=0 tcode=SE37;ICF_FIELD=DEST;ICF_VALUE=PROD;

so everything seems to work. I will let our user admin check my roles again - guess there is another roles with this object and VALUE=*.

By the way - where is that check done? C-Kernel?

Our BASIS release is 701.

Kind regards,

Holger

Go to solution
Former Member
In response to Former Member

‎09-08-2011 2:23 PM

0 Kudos

It is checked in the ABAP application coding (see SU21 where-used-list) but also in the kernel (keyword DESTINATION will perform the check if found - from the ST01 trace you can double-click the line and at the top left hand corner you will see a "jump to source" button, which will take you to RfcControl in SAPMSSY1 if I remember correctly).

So it is not just the test frame checking it...

Cheers,

Julius