Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Extraction problem in Nakisa

Former Member

‎02-23-2012 1:22 PM

0 Kudos

Dear Experts,

We are in implementing phase of NAKISA, for that we have created new user id and assigned S_RFC complete access.

While doing Extraction in Nakisa system given following error.

1. 23 Feb 2012 00:00:24 ERROR com.nakisa.Logger - executeFunctionDirect : FunctionRunner.executeFunctionDirect: RFC_READ_TABLE threw an Exception of type AbapException, took: 750ms, Message = NOT_AUTHORIZED

2. 23 Feb 2012 00:00:24 ERROR com.nakisa.Logger - com.sap.mw.jco.JCO$AbapException: (126) NOT_AUTHORIZED: NOT_AUTHORIZED

Then we have searched in forum link related to this error and we found one link and its suggested to give SAP_ALL access.

http://forums.sdn.sap.com/thread.jspa?threadID=1676742

But in our scenario we can't provide SAP_ALL access, can any one suggested to resolve the above error without SAP_ALL.

3 REPLIES 3

Former Member

‎02-23-2012 1:45 PM

0 Kudos

Hi,

The SAP_ALL advice was very bad so I am glad that it is not an option.

The error message is telling you that there is no authorisation for FM RFC_READ_TABLE so in addition to the S_RFC access (which I would recommend you restrict to the FM) you need to provide display auths for S_TABU_DIS for the table auth group/s for the tables that you are extracting from.

I would also be asking Nakisa to provide a detailed access spec for the tool that they sell.

Cheers

Alex

mvoros
Active Contributor

‎02-23-2012 6:54 PM

0 Kudos

This [wiki|http://wiki.sdn.sap.com/wiki/display/Security/BestPractice-HowtoanalyzeandsecureRFC+connections] might be helpful.

Cheers

Former Member

‎02-24-2012 8:39 AM

0 Kudos

The problem with this is that the RFC client can determine which table it wants to read (table name is an import parameter) and as it is HR and as it is personal data which the RFC is going to read, the probabiliyt of very might that the check is failing on table authhorization group PA, which the user will need to be able to work.

With that, comes remote, anonymous access to all tables in the same group PA and "the cat is out of the bag" from a security perspective.

If however you are lucky and the FM is just reading the system's own client information from table T000 (this is also a common scenario) then you can also grant just that in display mode and call it a day. However NAKISA should then ideally use function group SCT2 to get logical system information and not SDTX.

Cheers,

Julius