Authorisations for RFC User
Hello,
Does anyone have an exhaustive list of the authorisations that should be granted to RFC users in GTS and for those in the Feeder Systems?
Thx,
Marc
Hi Marc
I haven't reached this stage yet, as you know.. from the question you have answered for me.
But I believe it is authorization to the object s_rfcacl. Can you check if it works ?
(In a similar situation we tried to give the user access to additional RFC authorizations or SAP_ALL and then once we found the rfc working... reduced the authorizations given to that user)
Is there any specific error that you get when you run the RFC authorization test ?
Similar Messages
-
Hi experts,
We need to set the password for RFC User in small letters.But we are not able to do it ,because of our 'login/*' parameter values.
Is there is any other method to create the password for User ID with small letters(Ex:welcome,hello)?
Thanks in Advance,
Karthika> > Login rules are not specific to user types. It is same for all type of users.
> Sorry, this is not correct. The password validity rules are a good example which don't apply to SYSTEM and SERVICE type users. Other examples are the idle time rules and compliance to policy rules and the logon ticket rules and remote login via debugging rules and...
>
I tried to talk about is as per the ongoing discussion topic i.e. Case sensitiveness of Passwords and not other attributes. So from this point of view there is no such separate rule applies during admin imposed password or during a change (the cases where system prompts for changing password).
> > From NAS 7 there is a change in the password rules.
> There were major changes in 46B, and 6.10 and 6.40 as well, and Karthika still has not told us which release she is on.
>
Agreed totally.
> > [Note 750390 - USR02: various problems with password attributes|https://service.sap.com/sap/support/notes/750390]
> > [Note 624635 - Error messages with password change using RFC function|https://service.sap.com/sap/support/notes/624635]
> I cannot see how these notes are related to this silly requirement of setting a lower-case only password.
>
I didn't went through in details fully but seen it contains a considerable error details.... may be of any help to OP.
> I think either Karthika is playing a joke on us, or the person interviewing Karthika is playing a joke on her... These would be the only logical explanations left which I can see for for such a requirement.
>
May be.. but of course need more information and purpose of such strictness for setting such password. Also the FM PASSWORD_FORMAL_CHECK can be used with required customizations but you are the best person to tell this properly.
regards,
Dipanjan -
Not able to use password with characters for RFC User.
hi All,
I have installed SAP SCM 5.0 with MaxDB 7.6and liveCache 7.6.
I created RFC user and RFC destination to administer liveCache globally as per SAP notes 305634 and 452745. I changed the initial passwords and tested Remote login for RFC User.
But when I try to start liveCache with startrfc following the link below
http://help.sap.com/erp2005_ehp_04/helpdata/EN/95/379f3cad1e3251e10000000a114084/frameset.htm
I got the following error
RFC Call/Exception: SYSTEM_FAILURE
Group Error group 104
Key RFC_ERROR_SYSTEM_FAILURE
Message Name or password is incorrect (repeat logon)
Then I logged into the CI with RFC user and try to start the liveCache with RSLVCSTART T-Code SE38..I got the following error.
Error DBMCLI_COMMAND_EXECUTE_ERROR when starting liveCache LCS on server saplcslc
Message no. LVC007
I tried by changing the password for RFC user to numeric [0-9] and special characters [$,:] which worked fine.
Does anyone faced this issue earlier? I searched notes, sdn and finally google ... but no luck to resolve the issue.
Your help is much appreciated.
Thanks,
VenkatYes I used LCA as liveCache connection. I resolved the issue with RSLVCSTART. Thanks for your suggestion to run connection test. I used wrong password for control user in the LCA connection. Now LCA connection shows everything is fine.
But I am still not able to use alphanumeric password RFC user to start the liveCache from command line. I get the following when run startrfc command...
bash-3.00$ /usr/sap/CAT/rfcsdk/bin/startrfc -3 -d LCSCLNT001 -h sapcatci -s 51 -c 001 -u LCSRFC -p Mach1cspsap\$ -l EN -F START_LIVECACHE_LVC -E IV_CON_NAME=LCA
RFC Call/Exception: SYSTEM_FAILURE
Group Error group 104
Key RFC_ERROR_SYSTEM_FAILURE
Message Name or password is incorrect (repeat logon)
bash-3.00$ echo $?
1
But I can start the liveCache from command line with numeric password successfully.
bash-3.00$ /usr/sap/CAT/rfcsdk/bin/startrfc -3 -d LCSCLNT001 -h sapcatci -s 51 -c 001 -u LCSRFC -p 19811983\$ -l EN -F STOP_LIVECACHE_LVC -E IV_CON_NAME=LCA
bash-3.00$ echo $?
0
Note the difference between the passwords used. Do i need to change any settings to accept alphanumeric passwords for RFC user.
Note that I am able to start liveCache server in both cases(alphanumeric password and numeric password) by logging into SAP GUI and RSLVCSTART program. The problem is only when i try to start the liveCache from the commandline.
Any help will be much appreciated.
Thanks,
Venkat -
Authorization Required for RFC user in R/3-APO system.
Could you please help regarding one authorization issue. I want to know the authorization required for one RFC user. Now this RFC user used for RFC connection of SAP R/3 - SAP APO system. user type is given dialog type and SAP_ALL profile has been given to this user id. Now I have to remove SAP_ALL from this user id in R/3 and APO system and provide the required the authorization in R/3 and APO system.
Regard
AuroshikhaThe RFC authorisation depends completely on what the user is doing (ALEREMOTE?). We can't tell you what RFC auths your connection requires.
There is a guide to doing this here: https://wiki.sdn.sap.com/wiki/display/Security/BestPractice-HowtoanalyzeandsecureRFC+connections -
Authorisations for a user in SM59
Hi,
I am in the process of configuring a SM59 ABAP connection between two systems say A and B
I have created user id in the System A and B
I wanted to know teh roles and authorisations, to be present for a user to be used in SM59 ABAP Connection
I dont want to give SAP_ALL(System User)
I wanted this RFC connection to be used for CUA Configuraiton
Please helpwhile defining RFC you should use user of type System which can't be used for Dialog (Interactive) Login and hence there is no harm in providing SAP_ALL & SAP_NEW.
If you want to define your own role still, then I would say there are few specific Objects need to be present as default... but the other are dependent on the type of connection and activities that RFC is going to perform. As a default, S_RFC, S_RFCACL, S_TABU_DIS (optional) are required.
If you check the following notes, you will be understand the requirement of idealizing the Task in which the RFC is going to be involved.
[ Note 338537 - RFC user authoriz. for data exchange R/3 back end <-> CRM|https://service.sap.com/sap/support/notes/338537]
Similarly if it is going to use for IDoc processing: [Note 325361 - IDoc processing authorizations|https://service.sap.com/sap/support/notes/325361]
[Note 412309 - Authorization profile RFC user for IPC|https://service.sap.com/sap/support/notes/412309]
Regards,
Dipanjan -
Access to some UDFs authorised for certain user
Dear All,
This issue made me confusing, it is about UDF access authorisation. Is it possible to authorise a certain user to open or view UDF ?For example : I have 5 UDFs that only can be used by sales dept user and 5 UDF's are for purchasing dept. How to authorized the UDFs according to its dept ? Thanks in advance.
Rgds,Hi All,
I managed to resolve this problem by using additional authorisation creator that using form ID 38 and then in the general authorisation --> user authorisation is set to no. if it is authorised per user name, the user will not able to open UDF settings (CtrlShiftB) except there is the same level with him/her that can open the document, I think the settings can be opened. I almost escalated this problem to SAP support.
Tks for your all participations. More power to you...
Rgds, -
Authorizations needed for MAM 2.5 for RFC user and business users
Hello all,
We are using MAM 2.5 application but we are facing authorizations issues.
It seems we have not enough authorizations on RFC user used between middleware system and back-end system located on the RFC destination MAM on the middleware.
And we don't find any SAP document related to this customizing.
Moreover is there any other or same document deals with authorizations needed on the back-end for each user using MAM on its mobile device ?
Thank in advance,
Eric GOURDOUHello,
Can you send me the errors you have?
If you have a trusted connection, then each users need the authorization S_RFCACL .
Other than that, I never had to set any authorization for the plant maintenance scenarios of MAM.
Thank you,
Julien.
msc mobile Canada
http://www.msc-mobile.com -
Status Profile: Configuration required for authorisation based on user
hi friends
from the sale order , i configured the status profile for authorisation for release the item level .
so what i do for cofiguration to give authorisation particular user(manager) and also not required for user(end user)
with regards
dinesh
Edited by: code acess on Feb 28, 2011 6:22 AMhi ram
thanks, how i give authorisation for particular user.. i need configuration setting for authorisation. i dont know what i tell to Basis for authorisation.
Consultant
with regards
dinesh -
Password inconsistancy issue with RFC users in ECC 6.0 System after upgrade
Hi,
We have upgraded the system from 4.7 to ECC 6.0, but facing the password inconsistancy problem for RFC users. We have set the parameters like "login/min_password_lng" as "8" and "login/password_downwards_compatibility" as "3" & RFC user Type is "system". Could you please suggest how to resolve the password inconsistancy issue.Hi Chandan,
you need to run the txn. SECSTORE and there it will shows you all the RFCs that have inconsistent passwords. Please maintain the correct passwords there.
In case the existing passwords are no longer acceptable due to new security policies as per the new SAP version, you will have to change the password from SU01.
Regards,
Shitij -
MM01 tcode for SD user with restriction to SD related codes only
Dear Experts
How can we assign MM01 Authorisation for SD user with a restriction that he can access only <b><u>SD RELATED MATERIAL ONLY</u></b> ?, Why because the material master is same for <u>MM Module</u> and <u>SD Module Product Master</u> also.
There is no listing for Material Group parameter in the Material Object
Material Type Object : M_MATE_MAR
Material Object : M_MATE_MAT
Thanks in advance
Please advise me.
Regards
PS PrasadDear Corinne Müller
First of all, let me say Sorry for the late reply to your post.
I have gone through the objects you have told to that particular SD User.
He have been already assigned those objects. But one thing I have observer
here is the authorisation object you have given M_MATE_WGR
contains 2 parameters those are
(01) Activity 01, 02, 03
(02) Authorization Group
The above said (02) parameter does not contains any data to select in its dropdown box. I think functional people does not created material groups
while doing configuration part.
So, here I can not distinguish the material whether it related to SD Module OR MM Module. And can not restrict user's to access TCode MM01 basing on their module related material only. Am I right ????
Any further suggetions ?????
Thanks for your reply.
I am just learner in BASIS. Kindly be in touch with my e-mail id.
My E-Mail id : [email protected]
Thanks once again
PS Prasad -
Dear All,
We are using SRM classic scenario process ( SRM 5)
Accordig to SAP Note 938411 , we have to change the RFC user to RFCUSER ,
( It was SAPRFC) ,
This change caused us a problem on creating SC ( Runtime Error " GETWA_NOT_ASSIGNED" on ST22).
We appreciate to get more information on this issue.
Best Regards,
Moshe
Message was edited by:
Moshe Stein
Message was edited by:
Moshe Stein
Message was edited by:
Moshe SteinHi
<u>Which R/3 system version are you using ?</u>
Please ensure the following settings have made made correctly in R/3 back-end system.
<b>Be sure only ht follwoing changes as suggested in SAP OSS Note 938411 are done.</b>
<u>FUNCTION BAPI_GOODSMVT_CREATE</u>
<b>Delta 001Context Block </b>
* map head to internal structure **************************************
CALL FUNCTION 'MAP2I_B2017_GM_HEAD_01_TO_IMKP'
EXPORTING
BAPI2017_GM_HEAD_01 = GOODSMVT_HEADER
CHANGING
IMKPF = S_IMKPF.
<b>Delete Block</b>
S_IMKPF-USNAM = SY-UNAME.
<b>Insert Block </b>
IF SY-UNAME = 'RFCUSER'.
S_IMKPF-USNAM = GOODSMVT_HEADER-PR_UNAME.
ELSE.
S_IMKPF-USNAM = SY-UNAME.
Don't forget to activate the Function module <u>FUNCTION BAPI_GOODSMVT_CREATE</u> after making the changes in R/3 backend.
Also, Please read OSS Note for RFC User details.
Note 642202 - EBP user admin: RFC user profile in back end/plug-in
Do let me know.
Hope this will definitely help.
Regards
- Atul -
User has no authorisation for function group SYST?
Hi All,
I was trying to open Bex Analyzer in BI 7.0.
I am getting the error as mentioned below:
"User has no authorisation for function group SYST".
Why is it so.
Please reply.
Thanks in Advance.Unless you have full authorizations (SAP_ALL / SAP_NEW) you have to grant authorizations for each activity.
With PFCG, add the following RFC on Authorization Object S_RFC:
RFC1
RS*
SDIFRUNTIME
SYST
SYSU
Hope it helps
GFV -
In the profiles of the RFC users it was noticed that SAP_ALL was present. In order to remove this, :
1.its needed to know what other authorisations need to be assigned.
2. This is the bottle neck. How does one understand which are the activites that are being performed.
Thanksgeorge G wrote:george G wrote:george G wrote:george G wrote:>
> Now here we trip on a very important question point...How does the Unkown body of users get acess to the RFC id /pwd ?
Chances are good that they do not need the id / pwd. They only need the name of the RFC destination (for which the id / pwd is saved in SM59, already) and the ability to run "the" or "an" interface (or generate a dialog session).
Another option is not to save the logon data in the destination, and request that the current user running the interface in the source enter their own (valid) id / pwd for the target.
>
> Unless its compromised personally ?
Not necessarily necessary, but that does often add a new dimension to the risk, as the folks have a wider choice of sources from which they can "run an interface" using the id, and a wider group of folks (who talk to each other...).
>
> What specifics are the potential impacts the compromised id do ?
You mentioned before that it has SAP_ALL?? Go figure what that means...
>
> On the sidetrack , the auditors are moved with RFC users !! Why would that be , to my auditor I put forth the question the answer was " they are not Dialogue users !"
See above (SAP_ALL). The user could change itself to a dialog user... I can think of approximatly 300 thousand reasons (just off the top of my head) why your auditors are <removed_by_moderator>
Most likely they have, much like the interface user owner you described before, been told this and have not questioned it. Or the thought never crossed their minds that the id would not be required at all if it cannot "logon"... -
Which user type to user for RFC receiver channel
Hi Forum,
I m developing XI scenarios which include RFC receiver chhanel (in IB: Integration Directory), to call a function moule in a R/3,
which kind of user should i use for this purpose, i mean to say,
which user type:
SYSTEM
Dialog
Communication
System
Reference
and what should be the roles of that user,
which type of the user doesnt gets locked, on wrong attemptsHi,
Generally S_RFC and S_SERVICE authorizations are nedded while calling RFC module from R3. Also check for role S_RFC_ADM
The backend should have the authorization to execute the RFC on the backend.
You can test the module in R3 and create a role using PFCG assign the tcode - SU53 (authorization check) and also assign the S_RFC and S_SERVICE to role.
Refer
RFC Logon user authorizations
Question on service userid - for RFC call
End User Authorizations and Roles
Calling R3 RFC via http
For RFC different authorization object is requried. You can ask your basis team to add the relevant authorization object in a new role and then add the new role to any existing service user or better create a new system user and add the role.
Thanks
swarup -
RFC User for satellite systems
Hello Gurus,
I just wanted to ask about one issue. We are a SAP partner and using Solution Manager in VARs scenario. There are many systems of our customers connected to our Solution Manager..
Now I want to ask about RFC user(s). As I see, in our Solution Manager there are many users(communications type C) with Synthax SOLMAN<system id> or something like that. It means basically, that we have for every particular customerS system one SOLMAN user for RFC(cust_scout) in our Solution Manager. My question is if we can replace all of these users with only one RFC user for all the systems and customers?
Many thanks in advance for your help
Miloslav Pudil
IDS Scheer
Prague
Czech Republic>
Miloslav Pudil wrote:
> I just wanted to ask about one issue. We are a SAP partner and using Solution Manager in VARs scenario. There are many systems of our customers connected to our Solution Manager..
> Now I want to ask about RFC user(s). As I see, in our Solution Manager there are many users(communications type C) with Synthax SOLMAN<system id> or something like that. It means basically, that we have for every particular customerS system one SOLMAN user for RFC(cust_scout) in our Solution Manager. My question is if we can replace all of these users with only one RFC user for all the systems and customers?
Hi Miloslav,
Technically, it will work that you define one common RFC user in your SolMan for communication (RFC BACK destination) from all connected managed systems.
BUT, I would never recommend it.
Once a managed system cause issues in your SolMan, you are not able (or at least it's much more difficult) to identify the managed system. Same happens, if a invalid password in the BACK destination leads to a locked user.
My recommendation: Spend the extra effort in creating a user per managed system. Operation will be much easier later.
See also this guide:
[Activating EarlyWatch Alert [EWA] in End Customeru2019s System |http://service.sap.com/~form/sapnet?_SHORTKEY=00200797470000089947&_OBJECT=011000358700000567342009E]
Best regards,
Ruediger
Maybe you are looking for
-
Creating a restore image on an external drive with package install options
Hi, I'm looking to use a combination of tools maybe Deploy Studio, System Image Utility etc to create an image that isn't Netbooted but rather on an external drive (a fast Thunderbolt raid enclosure) - a restorable image which will contain OSX setup
-
How to Determine Task Key based on Task Name?
Hi all, I'm trying to implement addProcessTaskInstance and I can't seem to dynamically obtain the task key. I want to find this based on the task name since this will be consistent through environments, but due to multiple development streams going o
-
Problem with lm_sensors.
My system is core i7 860 / asus p7p55d Archlinux kernel 2.6.30 I'm install lm_sensors 3.1.1 but its seem doesn't work. When I run sensors-detect, the result is Driver `max6650': * Bus `NVIDIA i2c adapter ' Busdriver `nvidia', I2C address 0x4b
-
WDTV Live connection help needed
Hi, I just changed ISPs yesterday to BT Total Broadband, i've managed to get everything to connect ok, but I can't stream content over to my WDTV Live, it finds it on the Home Network > Devices ok but when I go to find files over on my WDTV Live und
-
Why is Downloading Creative Cloud desktop taking so long?
It is an unusually large file size, or are many people experiencing this issue? It seems to have been stalled for two hours - no movement. My internet connection is fine.