Restricting RFC User access

We have some RFC users with SAP_ALL access.
Auditors placed it in high risk .Now we have to trace what access is actually needed for these users and revoke SAP_ALL
I tries two options
1.used ST03G to find the tcodes being used by RFC users.However, this is not of much help
2.Use the Security Audit logs(Cumbersome to collect 2-3 months data)
Its there any better and easier method to find what access is need by an RFC?
If anyone done this excercise please help me out!
Regards
Deepa

Hi Deepa.
I would have attacked it with a reverse trace.
First of all to remove all authorisations from the user.
Then add object S_RFC to a role and assign it to the user.
Activity 16
RFC_TYPE FUGR and
RFC_NAME = ' '  (Make sure RFC_NAME is not * otherwise you might open new vulnerabilites)
Now you can start the trace and execute the job that is to be done, now only add what is neccessary for the program to run.
In many cases it is just an additional RFC_NAME to be added.
Regards
Fredrik

Similar Messages

  • How do we restrict the user access for a particular G/L account

    Dear Experts,
    At our customer site, we follow master / derived role concept for authorisations.
    We have a requirement to restrictict user at G/l account authorisation level.
    I am aware that every g/l account account has a authorisaition group. But g/l account authorisation is a non-org value for which the present value is * for brgru, we cannot restrict by user/org. At our customer site the authorisations are provided at master role level for a designation and derived role is restricted for a plant, BA etc..
    Is there is any user parameter level restriction which can handle this requirement, i mean user parameter for specific g/l account, as we do LIF pid to restrict vendor level access.
    Appreciate your suggestions ASAP.
    Best regards,
    M.Kumaran

    Depends.
    What are you trying to protect? GL account masterdata (FS00) or FI document creation for specific GL accounts?
    Without knowing more about the design principles behind your roles, your release or other restrictions, I would suggest:
    (1) grouping off the GL accounts you want to protect in authorization groups (maintained via FS00);
    (2) deactivating either object F_BKPF_BES (if your trying to restrict FI document creation) or object F_SKA1_BES (if your trying to restrict access to GL account masterdata) or both in master/derived role;
    (3) create several separate roles that would contain only the aforementioned objects with access to specific GL account groups;
    (4) assign the roles from step 3 to users as required.
    Hope this helps.

  • Hyperion - Shared Services (Can I restrict a user based on a member?)

    In the Shared Services Management Console can I restrict a users access to only certain members in a dimension?
    Example: If someone is trying to retrieve data in excel from Hyperion can I restrict that users information to only their geographic market?

    To expand on what SeanV told you, Filters are not created in Shared Services, but in Essbase (EAS or MAxL). They are however applied in Shared services

  • Autologout of RFC users

    Dears,
    Like for ABAP stack we have parameter rdisp\max_wprun_time for GUI users ,Please suggest what paramter we can use for autologout of RFC users.
    Shivam

    Hi Shivam,
    Can you clarify some of my doubts.
    1)What exactly you want, want to logout user session or terminate work process?
    2)Above screen that you sent is related to single user of all RFC users?
    3)Why you want to restrict RFC users for particulat time?
    4)Did you restart your application after adding the same?
    Answers:
    1)If you want to logout user sessions just add parameter rdisp/gui_auto_logout
    It will automatically logout idle sessions after the time exceed, that you defined. If you want to terminate work process, jsut add rdisp/max_wprun_time, it will restart work process after getting exceeded the max run time(Normally called TIME_OUT error which we can get the same dump is ST22).
    2)If it is showing all RFC users, how this parameter will terminate different users session.
    If above 4 sessions are for single user, your parameter is not in active. Just restart your application.
    Before restarting save and activate instance profile.
    3)I am allowing your input
    4) These all instace related parameters will get active only after restart of application(INSTANCE).
    Regards
    Nick Loy

  • How we can restrict remote user to access same URL?

    HI,
    We have two remote sites A and B.
    Site-A    ---  Users accessing application by using this URL: http://frsys.abc.com.pk:7777/forms/frmservlet?config=sales
    Site-B    ---  Users accessing application by using this URL: http://frsys.abc.com.pk:7777/forms/frmservlet?config=market
    We want to restrict the users A and B, to access the login pages vise versa.
    Regards.

    Hi,
    I m not sure how the task would be achieved throughOAS.
    But with the help of developer n DBA,we can restrict the users A and B, to access the login pages vise versa.
    1) Create 2 tables in DB,one table which contains only user A and another only for user B
    2) With the help of Developers,create inital login page(Userrname/Password) for both applications ie Site A and Site B
    3) At Login page validate with the respective table created ie check whether the user is from table A or table B
    Regards,
    Fabian

  • Restrict User Access to Planning Books- Creation of Roles

    Hi All
    I want to restrict the users to access/see only limited number of planning books in SDP94
    menu
    For this, I tried creating a role and assigned authorization C_APO_PB with required planning book values
    However I am not sure how to create the role properly. In the change role screen, the "Menu" and the "Workflow" tabs are red, while authorization tab is green
    Do I need to do any activity in Menu and Workflow tabs
    Please guide
    Any help on this is highly appreciated
    Thanks
    Vijay

    Moderator message - Cross post locked
    Rob

  • Restricting (Limiting) SQ01 access for a set of users

    We are attempting to restrict a user so that they can run specific queries but not change them.  We do not want to go into each query within a user group and lock the individual queries.
    We want to make this more global in that all users groups to which an person is assigned, can be accessed as a run only. 
    We want to ensure that individuals can also NOT create queries either.  Display and Execute Only.
    Thanks,
    Shyam

    This is done using the authorization concept. Please create composite and single roles with all the required tcode accesses and applicable for a specific Employee group/ Personnel Area/ Personnel Subarea. The tcode used to create roles in PFCG.
    Below is the set of standard SAP roles and authorization objects.
    AUTHORIZATION OBJECTS:
    P_ORGIN
    P_ORGXX
    P_PERNR
    PLOG (For OM)
    S_PROGRAM                        
    S_TCODE
    P_TCODE
    S_QUERY
    P_PCLX
    B_LSMW
    S_BDC_MONI
    STANDARD SAP ROLES:
    SAP_HR_OS_HR-ADMINISTRATOR
    SAP_HR_OS_HR-MANAGER
    SAP_HR_OS_ORG-MGT-MANAGER
    SAP_HR_OS-MANAGER
    SAP_HR_OS-SPECIALIST
    SAP_HR_PA_HR-MANAGER
    SAP_HR_PA_HR-ADMINISTRATOR
    SAP_HR_REPORTING

  • Restricting Users access to BW Query based on Criteria

    Hello  ,
    Haven't found much help with the security implementation documents , i have been given a objective to create Profiles/roles and which would be used only for reporting on 1 single Cube by users from multiple departments. 
    Create profile/Roles and provide access to users for Query ZREP_C0_1 .
    User belonging to comp_code1 & region4 & plant6 should be able to view only his data and none other  even if the user wishes to see Compcode2 & region3 & plant4. 
    ( Reporting with restrictions over the User authorizations  on Region/Compcode )
    Creating the Role has been the easy as it was just to provide access to the infoarea , cubes, infobjects , query and authorization objects to execute query.   However i am stuck on how to proceed further on the above scenario  regarding restricting the users.
    Your help is much appreciated .
    Regards
    Raja

    Hi Pratheesh,
    If you are going to use client authentication in SSL and if client authentication fails since not all users will have client cert provided by you, SSL handshake will not complete and hence no access. But this is a performance impacting option. Restricting access on FW would be a good option.
    During the flow of a normal SSL handshake, the server sends its certificate to the client. The client verifies the identity of the server through the certificate. However, the client does not send any identification of its own to the server. When you enable the client authentication feature on the ACE, the ACE requires that the client sends a certificate to the server. The server then verifies the following information on the certificate:
    The CA has not revoked the certificate.The certificate signature is valid. The valid period of the certificate is still in effect. A recognized CA issued the certificate.
    You can specify the certificate authentication group that the ACE uses during the SSL handshake and enable client authentication on this SSL proxy service by using the  authgroup command in SSL proxy configuration mode. The ACE includes the certificates configured in the group with the certificate that you specified for the SSL proxy service
    Regards,
    Kanwal

  • How to restrict user access in Oracle Application Server 10g (9.0.4)?

    Can anybody please let me know how to restrict user access in 10g AS? To be specific, how to allow http requests from specific IPs only?

    Hi,
    You have to edit httpd.conf and modify acces rights for each protected directory
    e.g.
    <Directory /var/www/sub/payroll/>
    Order allow,deny
    Allow from 192.168.1.0/24
    </Directory>
    then you have to restart Oracle HTTP Server
    jm--

  • Restricting the user to access only one view in or database

    A user wants to create a database link , so that he can view one of our views. We want to restrict permission, so that he can access only that view, and not any of our tables. What is the best way to proceed?
    Thanks in advance,
    Gayatri

    Pl do not post duplicate threads - Restricting the user to access only one view in or database

  • Restriction of user to access dispute and Credit case as per organizational area

    Hi Team,
    Requirement is to restrict user to use dispute and credit case as per organizational area.
    Company having different zones and business wants that the user of one zones should not access the dispute and credit case along with the attachement related to cases of another zone.
    Now Company having one RMS ID for Dispute and One RMS ID for Credit case .
    So need help to assist how should we proceed to restrict the user of different zones.
    Thanks in advance .
    Manoj

    Hi Mark,
    It is not company code . it is basically region by geographic like latin America, North America.
    under oner region business have several company code.
    Business want to restrict the user to use credit case and dispute case along with attachment limited by region.
    Thanx,
    Manoj

  • How to restrict the Users to access other application URL on same machine?

    We have one Oracle 10g AS server, hostname "abc", this server having two services named "DSS" and "RBL".
    Our requriement is how we can restrict the URL "http://abc.xyz.com:7777/forms/frmservlet?config=rbl" from user access, because both DSS and RBL having same URL.
    Can we change port 7777 for RBL service?
    http://abc.xyz.com:7777/forms/frmservlet?config=dss
    [DSS]
    userid=schema_1/abc123@orcl
    form=DSS_MAIN_MENU.fmx
    width=200%
    height=200%
    separateFrame=true
    lookAndFeel=oracle
    colorScheme=teal
    splashScreen=no
    background=grey
    http://abc.xyz.com:7777/forms/frmservlet?config=rbl
    [RBL]
    userid=schema_1/abc123@orcl
    form=MAIN_MENU.fmx
    width=200%
    height=200%
    separateFrame=true
    lookAndFeel=oracle
    colorScheme=teal
    splashScreen=no
    background=grey
    --------------------------------------------------------------------------

    Anyone can answer.

  • HT201304 Is there a way to restrict user access to find my ipad with out restricting the mail app?

    I am working on setting up multiple Ipad 2 tablets with iOS 5.1.1 and I need to restrict access to turn off find my ipad. The only way I see to do this is to turn on restrictions and dont allow changes on accounts. The issue I have then is it also restricts the Mail app setup. Is there a way to restrict one and not the other? We use microsoft exchange mail and I would be willing to use another mail app if anyone can suggest one that works as an alternative?
    Thank you.

    I don't know of any reliable tracking app, but perhaps someone else here can suggest one I'm not aware of. Any could be defeated by just restoring the iPad, though, so about all you could hope to do would be make things a bit more difficult to turn off. For a third-party app, you'd have to restrict the user's ability to uninstall apps, something which might be equally problematic for you.
    Regards.

  • Restrict the User name / Password Auto complete option for users accessing

    Hi All,
    Can any one know the Restrict the User name / Password Auto complete option for users accessing Portal from within and outside of Portal.
    Regard's
    Rama

    Are your referring to the browser functionality of remembering the usernames and passwords?
    Thanks,
    GLM

  • How to select which RFC USERS have been accessed my host ?

    Hi, guru
    how to select which RFC USERS have been accessed my host ?
    or how to record the RFC users's trace ?
    because the auditor wants to know it.
    Best regards,
    Michael

    how to select which RFC USERS have been accessed my host ?
    did you check ST03N->User profile ?
    or how to record the RFC users's trace ?
    Check ST01 for system trace.

Maybe you are looking for