Yes! I agree totally. On eway is to ask the owner himself, but again they will say they cannot work if they dont have SAP_ALL in the profile of the RFC user. What is the independed way to reach there.

The intended way is to document requirements for RFC interfaces and build a role limited to those requirements (not ALL...).

But people are very often not aware of the risks, so I would recommend explaining to them that their RFC interface with limited requirements represents a risk to the entire system as an unknown body of users can do anything to the SAP system at will, which is only limited by the skills of those persons or their fear of being found (multiplied by a severity coefficient of the consequences).

This is a polite way of going about installing "ownership" of the RFC user and responsibility for the authorizations.

Good luck!

Thanks Juluis!! Now here we trip on a very important question point...How does the Unkown body of users get acess to the RFC id /pwd ? Unless its compromised personally ?

What specifics are the potential impacts the compromised id do ?

On the sidetrack , the auditors are moved with RFC users !! Why would that be , to my auditor I put forth the question the answer was " they are not Dialogue users !"

>

> Now here we trip on a very important question point...How does the Unkown body of users get acess to the RFC id /pwd ?

Chances are good that they do not need the id / pwd. They only need the name of the RFC destination (for which the id / pwd is saved in SM59, already) and the ability to run "the" or "an" interface (or generate a dialog session).

Another option is not to save the logon data in the destination, and request that the current user running the interface in the source enter their own (valid) id / pwd for the target.

>

> Unless its compromised personally ?

Not necessarily necessary, but that does often add a new dimension to the risk, as the folks have a wider choice of sources from which they can "run an interface" using the id, and a wider group of folks (who talk to each other...).

>

> What specifics are the potential impacts the compromised id do ?

You mentioned before that it has SAP_ALL?? Go figure what that means...

>

> On the sidetrack , the auditors are moved with RFC users !! Why would that be , to my auditor I put forth the question the answer was " they are not Dialogue users !"

See above (SAP_ALL). The user could change itself to a dialog user... I can think of approximatly 300 thousand reasons (just off the top of my head) why your auditors are <removed_by_moderator>

Most likely they have, much like the interface user owner you described before, been told this and have not questioned it. Or the thought never crossed their minds that the id would not be required at all if it cannot "logon"...

PS: What do you mean by "moved"?

Juluis,

that word got in as I was drafting the question....I wanted to write " worried' "bothered". Apart from SAP your english too is good !!

Cheers

George

Perhaps they have heard something, but might not be sure (yet) what it is?

Auditors in some countries are however not allowed to consult or provide solutions... this places them at an additional disadvantage, as finding the problem is often half of the solution and vis-verse

Cheers,

Julius

Juluis,

I am going hammer & tongs to implement this. Our concern must not be the audit or auditors opinion but larger security of the corporation & associated data.

While remaining a nose-length ahead of the auditors is widely considered a benchmark, I completely agree with your approach as a more sensible and sustainable goal.

Cheers,

Julius