Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

login/isolate_rfc_system_calls and auth/rfc_authority_check

Former Member
0 Kudos

Dear security gurus !

it is now the 5th time or so that I run accross system parameter login/isolate_rfc_system_calls. And I still don't have a good view on what it does. As usual, the interesting parameters are not documented.

I am hoping that it changes the S_RFC authorization check of "internal" RFC calls - i.e. the ones that are only checked against S_RFC when auth/rfc_authority_check is set to 2 or 9. I tried that on a 6.10 system - but did not see any change in the authorization trace.

The reason I am looking for change in the S_RFC checks is that I am not completely happy with the options auth/rfc_authority_check offers. There is no setting that would perform an S_RFC authorization check on all externally called function modules (including function modules in group SRFC), but none for internal calls. A setting 9 (or 2 for that matter) requires customers to assign S_RFC authorizations even for internal calls. So that doesn't seem to be a good setting, because if you do that, the affected users can suddenly call those RFC functions even externally.

If anybody knows what the login/isolate_rfc_system_calls does or how to configure the ABAP system such that all external but no internal RFC calls are checked against S_RFC - please let me know.

In case you don't want to openly contribute, please drop me an e-mail to my e-mail address.

The topic is not exactly urgent, but I am writing down my views on different configuration details and I am hesitating to phrase a final opinion on auth/rfc_authority_check. Your help is greatly appreciated !

1 ACCEPTED SOLUTION

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Well, there are three different types of Remote Function Calls (regarding the check on the S_RFC authorization object):

- external RFCs (from other ABAP systems / external RFC clients)

- internal RFCs (from the same logical system, only from a different server)

- system RFCs (ie. those which belong to function module group SRFC)

Those "system function modules" (e.g. "RFC_SYSTEM_INFO", "RFC_PING") can be called w/o providing valid logon data.

Profile parameter login/isolate_rfc_system_calls is not documented because the functionality is not fully implemented.

Internal RFCs will usually be treated identical to "normal" function calls (as if they are not "remotely" invoked).

Best regards, Wolfgang

PS: yes, as of NW 7.1 you can assign RFC start authorizations in a more fine granular way (as it has been requested many years, ago).

4 REPLIES 4

Former Member
0 Kudos

Hi Ralf,

Something which might be of related interest to you is that from release 7.10 you can let the check on S_RFC RFC_TYPE FUGR fail!, the system then checks S_RFC RFC_TYPE FUNC (this is then performed against the first characters of the function module name; not the first characters of the function group name).

I once played around a bit with adding SYST to the RFC_TYPE, but much like you I found it to be a bit of a black hole and the hassle-factor is quite high. That was back on 46C. Perhaps things have changed (hence the new param?).

Cheers,

Julius

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Well, there are three different types of Remote Function Calls (regarding the check on the S_RFC authorization object):

- external RFCs (from other ABAP systems / external RFC clients)

- internal RFCs (from the same logical system, only from a different server)

- system RFCs (ie. those which belong to function module group SRFC)

Those "system function modules" (e.g. "RFC_SYSTEM_INFO", "RFC_PING") can be called w/o providing valid logon data.

Profile parameter login/isolate_rfc_system_calls is not documented because the functionality is not fully implemented.

Internal RFCs will usually be treated identical to "normal" function calls (as if they are not "remotely" invoked).

Best regards, Wolfgang

PS: yes, as of NW 7.1 you can assign RFC start authorizations in a more fine granular way (as it has been requested many years, ago).

0 Kudos

This message was moderated.

Former Member
0 Kudos

Sorry to bump this old thread, but there is again more granularity available for this topic:

You can now also control authentication exactly and only for the two RFC_PING and RFC_SYSTEM_INFO FM's which are then available as public function module names. The others in SRFC will request authentication and authorization for the function group or further names if you wish to expose them.

See [SAP Note 931252|https://service.sap.com/sap/support/notes/931252] for new value '100' of param auth/rfc_authority_check.

Cheers,

Julius