S_RFC

              Manually   Authorization Check for RFC Access                           S_RFC

               Manually   Authorization Check for RFC Access                          

                 Activity                       16                                                                          ACTVT

                 Name of RFC to be protected    *                                                                           RFC_NAME

                 Type of RFC object to be prote FUGR, FUNC                                                                  RFC_TYPE

Regards,

Prasant

Are you still getting error after adding authorization object.

Regards,

Prasant

HI Rahul

S_RFC is the answer but I don't recommend putting asterisk in

When you build your PFCG role you can add the function module to the menu and then leverage SU24. It will automatically bring in the correct S_RFC values and let you know why they are in the role (shows as standard instead of manual object)

Regards

Colleen

Hello Colleen,

It my Fault.

there so so many function module called

which can only be found using trace on target system.

Regards,

Prasant

all good

I find easiest way is to run a trace with the user with S_RFC asterisk. Run this in STAUTHTRACE so that it's in ALV format.

You can then get every RFC function module under the program. You will probably only see the S_RFC FUGR values instead of FUNC as it's checked first.

Build you PFCG by adding those into PFCG and the two S_RFCs will default in to authorisations - 1 will be deactivated which is the FUGR values whilst the FUNC values will remain.

Take of your S_RFC asterisk and then you can try again with the trace to see if any others are missing

It's a bit quicker than sifting through ST22 short dumps.

Once you get the function modules you can then analyse the trace files for other permissions and update SU24 for the function module

Think of it this way - we put all of the effort into implementing GRC. If you maintain SU24 properly then you get a better understanding as to why certain objects are in a role. Then, if SoD issues appear you can easily determine what impacts you have if you attempt to remove access.

Regards

Colleen

Target system you enable trace.

check SU53 for RFC user in target system

SU53 press F5 and select RFCUSER ID you can find the missing auth object aswell..

REgards,

Prasant

Hi Prasant and Rahul

Using SU53 is a slow way of identifying all of the issues. More than likely the exception hasn't been caught so you will see S_RFC failures in ST22.

As mentioned, In general, switch on STAUTHTRACE in the plug-in system (as that's where the call takes place)

SU53 won't help you much to switch user as it's written to logs instead of USR07 now. STAUTHTRACE will get you all the failures. Again, as I mentioned, you can elevate some of the authorisations (e.g. put S_RFC with ACTVT for FUNC but asterisk for function module or put S_USER* objects as asterisk). In doing this, the replication/job will succeed and then you can use your trace to reduce the values and remove your asterisk.

Regards

Colleen