cancel
Showing results for 
Search instead for 
Did you mean: 

Error in ABAP service user authorizations

rondv
Advisor
Advisor
0 Kudos

All,

When trying to read the help values from a NW AS ABAP is get the following error in the IDM job log:

Messages
Error

Error occured in JCo3Proxy.logonSapi(String):

java.lang.Throwable: Initialization of destination EC1CLNT100 failed: No RFC authorization for function module RFCPING. on 192.168.1.132 sysnr 00

Error

Exception reading table: 'TSAD3' com.sap.conn.jco.JCoException: (103) JCO_ERROR_LOGON_FAILURE: Initialization of repository destination EC1CLNT100 failed: No RFC authorization for function module RFCPING. on 192.168.1.132 sysnr 00


And this in the ST22 view of the system log in the ABAP system:

How does one fix this? I did the original role assignment (SAP_BC_SEC_IDM_COMMUNICATION) and then I did the update of it according to OSS note 1557803.

Accepted Solutions (1)

Accepted Solutions (1)

jaisuryan
Active Contributor
0 Kudos

Hi Ronald,

Check the below thread.

Kind regards

Jaisuryan

rondv
Advisor
Advisor
0 Kudos

Hi Jay, thanks for responding. I did indeed find that post, but it does not provide specific instructions on what to do for a layman (the group to which I will count myself when it comes to SAP authorizations in a NW AS ABAP :-)) so I couldn't do much with it.

Community, SAP IDM product/solution people: call for action?

Assuming my status applies to others in the same predicament, is there any guidance on what one needs to do specifically to fix this (adding RFC stuff to the user account, or updating the default SAP_BC_SEC_IDM... role etc.)? If this RFC authorization is missing, is this a generic problem for the IDM documentation? I looked through most of the IDM 7.2 material and I cannot find much mention of what authorizations to set for an ABAP service user. The "missing" RFC authorizations and how to apply them are also not mentioned, let alone part of the pre-configured role that is mentioned sparsely (SAP_BC_SEC_IDM...).

I guess there are more of us out there interfacing with NW AS ABAP systems, can someone add to the basic documentation for all of us out there who are no authorization guru's and tell us what we need to add, change, or perhaps SAP can even improve the core delivery?

I am on IDM 7.20 SP09, with the absolute latests patches (updated my system again last Friday) and its working well, other than this functionality issue :-).

jaisuryan
Active Contributor
0 Kudos

Hi Ronald,

You can just pass on the ball to SAP Security guy. This is something SAP BASIS or Security administrator who manages NW AS ABAP systems to work on. Just show the solution and he would know what to do. This is basic SAP "Security" work and that's why it's not being discussed or explained much in our community.

Should you be interested in SAP Security, then you can try taking ADM 940 course.

ADM940 - AS ABAP - Authorization Concept | SAP Training and Certification Shop

Kind regards,

Jai

rondv
Advisor
Advisor
0 Kudos

Hi All, Jay,

I agree with your suggestion, and sort of did that :-). We dug into this and found the following that I hope help other people. Here is what happened.:

1) Indeed, as indicated in other posts already, the profile was not generated for role "SAP_BC_SEC_IDM_COMMUNICATION. I should have known as it showed a yellow icon in front of the Authorizations tab in PFCG for SAP_BC_SEC_IDM_COMMUNICATION role. So, we (our security basis guy and myself) went in and clicked on "Change Authorization Data" and then clicked on the generate icon (which is the 4th one from the left in my NW AS ABAP 7.42 under the "Change Role: Authorizations" panel header.

Then we clicked on the "Save" icon (the floppy disk). Then we went back with the green << icon. A pop up came: "Exit Authorization Maintenance", saying profile status "not generated", so we clicked on the generation icon again (this time third from left, next to X icon). We came back to the "Change Roles" screen, and clicked on "Save" again.

Then we selected the User tab, and clicked on "User Comparison". The service user to which we assigned the role previously was in the table. After we got a popup about the comparison, we clicked on the "X" in the pop-up window and now the "User Comparison" button showed green icon in front of it.

We then proceeded to check the contents of the RFC authorization that was part of the role. It indeed had the values that Jim above indicated, so that was fine, no need to add anything.

Then I ran the "ABAP Read Help Values" test job again I had set up already in IDM. Surprise, a lot less errors (but still some, more in a moment). The profile generation step therefore is needed, but the addition of the RFC authorization is not, it's already there. As a non-security layman I did not know what that meant or entailed, some more guidance in the docs would have been nice. Now you have something in the text above at least.

2) Ok, more errors.

The "ABAP Read Help Values" IDM job failed on reading the USGRP and USGRPT tables. After verifying these are indeed tables in the NW AS ABAP system (with SE16) we went back into PFCG on the NW AS ABAP. Once into change mode (by clicking on change this time) for SAP_BC_SEC_IDM_COMMUNICATION, we clicked on the "Authorizations" tab and on "Change Authorization Data".

We then expanded the "Basis: Administration" part (on of three line items in the Authorizations of this Role in my system), and under it, the "Table Access via Generic Standard Tools" item.

In here you see a list of tables in the "Table Name" line. Lo and behold, the USGRP and USGRPT tables were NOT in there. It did have the USRGRP and USRGRPT tables, but not the two the job was complaining about.

So, we added USGRP and USGRPT to this list, generated again, saved again etc. etc. like described above, and then I ran the "ABAP Read Help Values" job again in IDM. No more errors.

What I need to figure out now if this is indeed a problem of the basic delivery, or not. If it is, then perhaps something will need to be updated, or described in some form of guidance as part of the product materials I guess. I'll see what I need to do.

Disclaimer: Please keep in mind I was working in a SBX NW AS ABAP, and as such did not care about, and had powers to modify the original SAP_BC_SEC_IDM_COMMUNICATION role. In real systems I guess should should heed the normal SAP adages about copying the role to a Z_ role first and then doing the edits.

jaisuryan
Active Contributor
0 Kudos

Hi Ronald,

Appreciate your efforts to update the detailed procedure to solve this issue.

Kind regards,

Jai

Answers (1)

Answers (1)

jimguo
Advisor
Advisor
0 Kudos

Hi,

Please check if the user has authorization object S_RFC assigned with:


  • ACTVT             16

  • RFC_NAME     SYST

  • RFC_TYPE      FUGR

After that, please ensure the profile of the role has been generated.

Thanks.

Jim