SAP_ALL authorization for "system" user type
We have few RFC users between BW, APO and E-Rec systems to exchange data or data extraction. We have created them as a "system" user and assigned the SAP_ALL. I would like to know whether is it ok to assign SAP_ALL to system users or we need to drill down to limited authorizations.
If we need to remove SAP_ALL, than how to find the authorization required by these RFC SAP ids. Do we need to activate the trace individually for them or providing S_RFC and S_RFCACL with full access will be enough.
Thanks in advance/
Particularly in the case of system users with saved logon data (in connections such as those defined in SM59) it is important to limit their authorizations as one does not need to know the password or intercept it - you simply run the connection and call your RFC in the remote system and the system will authenticate the user in the connection data.
You can compare this to an anonymous remote control of the SAP system which can only be meaningfully controlled via restricting the access.
Unfortunately it is a rather tricky and very error prone procedure to restrict the access or retro-fit the correct users (and user type) in the connections. Typically you also only have one chance after which you are never allowed to go near an RFC connection again because you are famous in the company for causing 1000's of short-dumps and delaying the month end reporting... ;-)
However there are some gurus at SAP who have made a fine art out of this (I also contributed a bit to the methodology and tools) and if you want SAP to fix your connections for you, then see SAP Note 1682316 for more details of your options.
In addition to the "best practice" approach and experience of what will be needed (e.g. at month end..) the roles are built upwardly-compatible until release 7.31 and alert you with hints if security related SAP Notes affect RFCs which you actually use.