02-23-2012 1:22 PM
Dear Experts,
We are in implementing phase of NAKISA, for that we have created new user id and assigned S_RFC complete access.
While doing Extraction in Nakisa system given following error.
1. 23 Feb 2012 00:00:24 ERROR com.nakisa.Logger - executeFunctionDirect : FunctionRunner.executeFunctionDirect: RFC_READ_TABLE threw an Exception of type AbapException, took: 750ms, Message = NOT_AUTHORIZED
2. 23 Feb 2012 00:00:24 ERROR com.nakisa.Logger - com.sap.mw.jco.JCO$AbapException: (126) NOT_AUTHORIZED: NOT_AUTHORIZED
Then we have searched in forum link related to this error and we found one link and its suggested to give SAP_ALL access.
http://forums.sdn.sap.com/thread.jspa?threadID=1676742
But in our scenario we can't provide SAP_ALL access, can any one suggested to resolve the above error without SAP_ALL.
02-23-2012 1:45 PM
Hi,
The SAP_ALL advice was very bad so I am glad that it is not an option.
The error message is telling you that there is no authorisation for FM RFC_READ_TABLE so in addition to the S_RFC access (which I would recommend you restrict to the FM) you need to provide display auths for S_TABU_DIS for the table auth group/s for the tables that you are extracting from.
I would also be asking Nakisa to provide a detailed access spec for the tool that they sell.
Cheers
Alex
02-23-2012 6:54 PM
This [wiki|http://wiki.sdn.sap.com/wiki/display/Security/BestPractice-HowtoanalyzeandsecureRFC+connections] might be helpful.
Cheers
02-24-2012 8:39 AM
The problem with this is that the RFC client can determine which table it wants to read (table name is an import parameter) and as it is HR and as it is personal data which the RFC is going to read, the probabiliyt of very might that the check is failing on table authhorization group PA, which the user will need to be able to work.
With that, comes remote, anonymous access to all tables in the same group PA and "the cat is out of the bag" from a security perspective.
If however you are lucky and the FM is just reading the system's own client information from table T000 (this is also a common scenario) then you can also grant just that in display mode and call it a day. However NAKISA should then ideally use function group SCT2 to get logical system information and not SDTX.
Cheers,
Julius