cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to protect RFC-Direct calls

Go to solution
Private_Member_19084
Active Contributor

on ‎10-13-2015 4:54 PM

0 Kudos

Hi experts,

we have the case, that users are doing RFC calls (e.g. via VB, or Excel) to our SAP system and executing RFC-FMs and extracting data there.

How can I protect the system, so that the user can not do this?

As far as I know, it is also not possible with s_rfc.

Kind regards

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

isaias_freitas
Advisor
Advisor
‎10-13-2015 5:31 PM
0 Kudos

Hello,

With the authorization object S_RFC you will be able to define which function modules the users can call. So, you could actually use S_RFC to limit this access.

Unless the users should be able to call the function "abc" within SAP (e.g., while running a transaction/report being logged on with SAP GUI) but not from external tools (like Excel).

In this case, you could block the gateway port (TCP port 33$$, where "$$" is the SAP instance number) at a firewall, not allowing the end users to make RFC calls from external tools to SAP.

Regards,

Isaías

Show replies
Show replies
Private_Member_19084
Active Contributor
‎10-14-2015 11:25 AM
0 Kudos

Hello Isaias,

thats what I mean.

In SAP a lot of RFCs are also used internal from applications.

Therefore the user needs in some cases to have s_Rfc. But I would like to block the possibility of access RFC out of SAP, at least without control.

How can I limit this?
Can I do this also in the gateway?


Kind regards

isaias_freitas
Advisor
Advisor
‎10-14-2015 5:18 PM
0 Kudos

Hello Christian,

I am not aware of anything at SAP itself that would allow the user to execute a function module while logged on within SAP GUI and not allow it if executed with other tool.

After the user has logged on, it is the same user with the same authorizations, no matter how the logon took place.

The only option I see is to block the access from the end users to the TCP port of the Gateway, as I commented in my previous reply.

Kind regards,

Isaías

Private_Member_19084
Active Contributor
‎10-15-2015 8:43 AM
0 Kudos

So if a user e.g. has the authority for a FM, which reads data out of SAP or creating data in SAP, because SAP internal it is also used e.g. for booking-procedure, it means that he can also do it out of the sap and do everything manually.

In the SAP I have a protection, because he can not use SE37 or call it for any data, because a lot of other authority-objects maybe checked before the fm (e.g. in ME22n a lot of other authorities are checked)

So this sounds like it is a big leak isn't it?

How do you handle this problem?

Kind regards

isaias_freitas
Advisor
Advisor
‎10-15-2015 2:09 PM
0 Kudos

Hello,

A user would not be able to simply call a function module without having SAP GUI access or an RFC-enabled client.

The user must have something installed on his computer that enables him to connect to SAP in some way.

If such client allows the user to manually add a function to be called, I would say this is a flaw at the client.

But once connected to SAP and correctly authenticated, if the user has the authorization SAP must allow the execution.

Kind regards,

Isaías

Private_Member_19084
Active Contributor
‎10-15-2015 3:04 PM
0 Kudos

Hello Isaias,

thank you for the information.

So what I got is, that it isn't posible to realize on an easy way to allow RFC-calls just from defnied systems to systems.

Kind regards

isaias_freitas
Advisor
Advisor
‎10-15-2015 3:28 PM
0 Kudos

If there is a way, I never heard of it .

Kind regards,

Isaías

hemanth2
Product and Topic Expert
Product and Topic Expert
‎10-19-2015 2:13 PM
0 Kudos

Dear Christian,

Hope you are doing good.

I would say, keep a look into the gateway connections using /nSMGW or the report "RSGWREGP" which also gives a good overview of the connections (but it does not display “jstart”) and then see from where the connections are coming.
I do not think there is any other way. For example a developer can install SAP JCo on his local machine and extract data from the backend SAP using RFC connections (only authorization level limitations are possible).


Hope this helps.

_ _ _ _ _ _ _ _ _

Kind Regards,

Hemanth

isaias_freitas
Advisor
Advisor
‎10-19-2015 7:12 PM
0 Kudos

But only if network access to the gateway port (33XX) is allowed, from the end users' computers .

Answers (2)

Answers (2)

Private_Member_19084
Active Contributor
‎05-06-2016 12:23 PM
0 Kudos

Hello guys,

one general question regarding this.

What about the RFCEXEC.SEC, isn't this the file which controls who is allowed to access what?

Kind regards

Show replies
Show replies
raviraj_sap
Participant
‎05-06-2016 1:49 PM
0 Kudos

Hi

rfcexexc.sec is the tool to start other programs from within SAP (ABAP) on the OS level via the gateway on any other (or the same) server.


For details refer:


Thanks

Ravi

isaias_freitas
Advisor
Advisor
‎05-06-2016 6:48 PM
0 Kudos

Hello,

The "rfcexec.sec" file is only used by the rfcexec program. It allows you to set security rules, configuring what rfcexec will allow to be executed. The SAP note 1581595 can help you understand it.

The "rfcexec.sec" file will not prevent other computers from opening RFC connections to the Gateway.

Kind regards,

Isaías

manumohandas82
Active Contributor
‎10-13-2015 5:19 PM
0 Kudos

Believe the only way is through authorizations

Check the below document

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b2cce390-0201-0010-5a9f-cca08c75b...

Thanks ,

Manu

Show replies
Show replies
Ask a Question