RFC - System /Service User Authorizations

Former Member · ‎09-05-2014

Hi Experts,

We are in need of providing correct authorizations for RFC-System & Service users in our SAP system.

Currently we have SAP_ALL & SAP_NEW profile for these users, which has to be removed as per audit requirements.

We are tracing user's (one by one) authorization via ST01 & adding all the objects into a single role.

Is it the correct approach? Is there any other way to trace multiple user ids?

Waiting for valuable your feedback!

Regards,

Nivin

mvoros · ‎09-10-2014

Hi,

you should not try to create one massive role that will be used for every RFC user. You should try to create a tailored role for each user. E.g. if a RFC user is used to create sales orders by some external app then this user should be authorized to create these sales orders only. So in case this external app gets compromised the attacker won't be able to gain access to your ECC system by misusing RFC connection. This obviously requires some effort.

For a quick solution that lowers the risk but it's not the best you can try to use SAP role that is delivered for workflow user WF-BATCH. It used to be common to assign SAP_ALL to WF-BATCH user but later SAP provided a role that removes some risky authorizations.

BTW unless you just upgraded you don't need to assign SAP_NEW to your users. You should read about meaning of SAP_NEW profile here on SCN.

Cheers

harsha_artani · ‎09-09-2014

This message was moderated.

RFC - System /Service User Authorizations

Accepted Solutions (0)

Answers (2)

Answers (2)

Re: Object Page Not Displaying Table

Re: We need help knowing how to edit and improve a...

We need help knowing how to edit and improve an od...

Distribution of fields in the header of the object...

Cross entity BADI for BP Relationships