RFC Users  & Authorisations

Similar Messages

• Authorisations for RFC User

  Hello,
  Does anyone have an exhaustive list of the authorisations that should be granted to RFC users in GTS and for those in the Feeder Systems?
  Thx,
  Marc

  Hi Marc
  I haven't reached this stage yet, as you know.. from the question you have answered for me.
  But I believe it is authorization to the object s_rfcacl. Can you check if it works ?
  (In a similar situation we tried to give the user access to additional RFC authorizations or SAP_ALL and then once we found the rfc working... reduced the authorizations given to that user)
  Is there any specific error that you get when you run the RFC authorization test ?

• Authorization Required for RFC user  in R/3-APO system.

  Could you please help regarding one authorization issue. I want to know the authorization required for one RFC user. Now this RFC user used for RFC connection of SAP R/3 - SAP APO system. user type is given dialog type and SAP_ALL profile has been given to this user  id. Now I have to remove SAP_ALL from this user id in R/3 and APO system and  provide the required the authorization in R/3 and APO system.
  Regard
  Auroshikha

  The RFC authorisation depends completely on what the user is doing (ALEREMOTE?).  We can't tell you what RFC auths your connection requires. 
  There is a guide to doing this here: https://wiki.sdn.sap.com/wiki/display/Security/BestPractice-HowtoanalyzeandsecureRFC+connections

• RFC user in CPS

  HI All,
  Iam geteting the following error whentrying to start the one of the process server in CPS
  Service "SAPR3Service" on process server "lzuce0dx_SE1_63_ProcessServer" stopped unexpectedly.
  Details:
  Exception: 126: BAPI exception while calling BAPI_XMI_LOGON: E XM 026 You have no authorization to log on to interface XBP [XBP, , , ]
  My Question is:
  I have entered my SAP login ID in the XBP tab of the SAP systems under "Environment" , does this ID does not have the previlage to enter the XBP ?
  Or the RFC user does not have the authorisation to enter the XBP ?
  Please advise.
  Regards
  Kiran

  Hi,
  If I read your description correctly, you have entered your SAP login credentials on the XBP tab.
  That means, that your credentials are used for the RFC connection.
  So your user does not have sufficient privileges to connect (via RFC) to the XBP interface.
  In the documentation there is a list of privileges/profiles required for the CPS RFC user.
  Please verify if your user has these privileges, or even better: create a separate RFC user for CPS.
  Regards,
  Anton.

• RFC User Authorizations

  I have created an RFC user in the source system with the profile S_BI-WX_RFC and an RFC user in the BI system with the authorisation S_BI-WHM_RFC. Initially I also gave them SAP_ALL & SAP_NEW. However I do not really want users to have the level of access SAP_ALL & SAP_NEW gives so I have removed these profiles. However when I now try and run an infopackage it doesnt seem to extract any data. I cant seem to see any valid error messages to see what's missing. Nothing of any use in the infopackage or SU53. Any body any ideas what might be missing or another profile/role that may need adding?

  Hi,
  first chec the RFC connection between r/3 and BW
  in the monitor screen go to environment>check
  Cheers,
  Swapna.G

• RFC USER USER TYPE- SYSTEM/SERVICE?

  Hi,
  We are using CTP method of GATP.
  Currently our user type for RFCUSER (Usermentioned in rfc destination) is service? It allows dialog mode this is security concern for us as RFC USER as all authorisations.
  When we changed it to system user it is giving error while triggering GATP. Also there is dump in SCM system with message
  "DYNPRO_SEND_IN_BACKGROUND"
  "/SAPAPO/SAPLATP4" or " "
  "SYSTEM-EXIT".
  pls. suggest solution
  Regards,
  Santosh

  Hi,
  This info i took it from help library.
  If you want the ATP check to be performed in SAP APO but triggered from SAP R/3, make sure when
  defining the RFC connection of the SAP APO system in SAP R/3 that you use a user ID for the SAP APO
  system that was created there as a dialog user.
  Thanks,
  nandha

• Restricting RFC User access

  We have some RFC users with SAP_ALL access.
  Auditors placed it in high risk .Now we have to trace what access is actually needed for these users and revoke SAP_ALL
  I tries two options
  1.used ST03G to find the tcodes being used by RFC users.However, this is not of much help
  2.Use the Security Audit logs(Cumbersome to collect 2-3 months data)
  Its there any better and easier method to find what access is need by an RFC?
  If anyone done this excercise please help me out!
  Regards
  Deepa

  Hi Deepa.
  I would have attacked it with a reverse trace.
  First of all to remove all authorisations from the user.
  Then add object S_RFC to a role and assign it to the user.
  Activity 16
  RFC_TYPE FUGR and
  RFC_NAME = ' '  (Make sure RFC_NAME is not * otherwise you might open new vulnerabilites)
  Now you can start the trace and execute the job that is to be done, now only add what is neccessary for the program to run.
  In many cases it is just an additional RFC_NAME to be added.
  Regards
  Fredrik

• Invalid_jobdata when submitting job with rfc user

  Hi,
  I've created a function module in the erp system to remotly trigger a report program by a bw prossess chain.
  When running in the forground it works fine, but the runtime is so long that I want it as a background job.
  So I call job_open, job_submit, job_close in the function module. When I test the function module in the erp system with my dev user it opens a new job, adds a step and release correctly. It also runs fine if I intercept it in the debugger and change sy-uname to aleremote (the standard rfc user).
  It does not work when it's acctually called rfc from the bw system. The job is opened, but job_submit throws invalid_jobdata.
  Could this have anything to do with rfc or the executing user (which is of type SYSTEM)?

  I've caught the execption so there is no dump, but I'm unable to determine why the function module job_submit gives invalid_jobdata only when the executing user is the aleremote user and only when the call originated (the call to my module) from a remote system (the module job_submit is called locally thru my module). Authorization for the user is sap_all, but I was woundering maybe the user type system could be a problem?

• User Authorisations in Dialog Programming.

  Hi Friends,
  I have a small requirement, I want to create user authorisations in dialog programming.
  Actually client requirement is he want to enter absence details of each and every branch.
  For that i have created a cusom table and i  also i have developed a dialog program inorder to update the details
  and to retrive all the data i have created a report program also.
  Now the client requirement is he want user authorisations while updating the data through dialog programming, that means if a user loging in that particular branch he want to enter the absence details pertaining to that branch only, when he tries to enter the details of other employee pertaining to another branch an error should be raised.
  Actually in the client place they are using authrisation object as 'Z_WERKS'.  The basis person has created this and provided for me.
  Actually i have created an Authority check in module pool program.Here iam attaching my prog,
  Pls provide me the sample code if at all available.
  *& Include ZEMPTOP                                           Module pool
  PROGRAM  ZEMP.
  TABLES : ZABS,PA0001.
  DATA : WA_PA0001 LIKE PA0001,
         V_ANS.
  DATA: BEGIN OF Z_WERKS OCCURS 0,
          PERSA LIKE T500P-PERSA,
          NAME1 LIKE T500P-NAME1,
        END OF Z_WERKS.
  *&  Include           ZEMPI01
  *&      Module  USER_COMMAND_0100  INPUT
        text
  MODULE USER_COMMAND_0100 INPUT.
  CASE SY-UCOMM.
  WHEN 'DISP'.
  SELECT SINGLE * FROM ZABS WHERE PERNR = ZABS-PERNR.
  IF SY-DBCNT <> 0.
  *MESSAGE I000(Z00) WITH 'Details of' ZABS-PERNR .
  else.
  MESSAGE I000(Z00) WITH 'No Details Available to Display'.
  ENDIF.
  WHEN 'EXIT'.
  LEAVE PROGRAM.
  WHEN 'BACK' OR 'EXIT' OR 'CANCEL'.
  LEAVE TO SCREEN 0.
  WHEN 'CLS'.
  CLEAR ZABS.
  WHEN 'INS'.
  INSERT ZABS .
  ZABS-ABWTG = ZABS-ENDDA - ZABS-BEGDA + 1.
  IF SY-DBCNT <> 0.
  MESSAGE I000(Z00) WITH 'Personnel No' ZABS-PERNR
  'inserted successfully'.
  ENDIF.
  CLEAR ZABS.
  WHEN 'MOD'.
  UPDATE ZABS.
  ZABS-ABWTG = ZABS-ENDDA - ZABS-BEGDA + 1.
  IF SY-DBCNT <> 0.
  MESSAGE I000(Z00) WITH 'Personnel No' ZABS-PERNR
  'Modified Successfully'.
  ENDIF.
  CLEAR ZABS.
  *WHEN 'DEL'.
  *CALL FUNCTION 'POPUP_TO_CONFIRM_LOSS_OF_DATA'
  EXPORTING
     TEXTLINE1           = 'ARE YOU SURE'
     TEXTLINE2           = 'YOU WANT TO DELETE'
     TITEL               = 'CONFIRMATION'
     START_COLUMN        = 25
     START_ROW           = 6
     DEFAULTOPTION       = 'N'
  IMPORTING
     ANSWER              = V_ANS.
  *IF V_ANS = 'J'.
  *DELETE ZABS.
  *IF SY-DBCNT <> 0.
  *MESSAGE I000(Z00) WITH 'Personnel No' ZABS-PERNR
  *'Deleted Successuflly'.
  *ELSE.
  *MESSAGE I000(Z00) with 'No Record to Delete'.
  ENDIF.
  *ENDIF.
  ENDCASE.
  ENDMODULE.                 " USER_COMMAND_0100  INPUT
  *&      Module  GET_REC  INPUT
        text
  MODULE GET_REC INPUT.
  SELECT SINGLE * FROM PA0001 INTO WA_PA0001
           WHERE PERNR = ZABS-PERNR.
  MOVE: WA_PA0001-PERNR TO ZABS-PERNR,
        WA_PA0001-ENAME TO ZABS-ENAME,
        WA_PA0001-GSBER TO ZABS-GSBER,
        WA_PA0001-WERKS TO ZABS-WERKS.
  ZABS-ABWTG = ZABS-ENDDA - ZABS-BEGDA + 1.
  ENDMODULE.                 " GET_REC  INPUT
  *&      Module  CHECK_AUTH_WERKS  INPUT
        text
  MODULE CHECK_AUTH_WERKS INPUT.
  *SELECT PERSA INTO TABLE _WERKS FROM T500P
          WHERE  PERSA = ZABS-WERKS.
  AUTHORITY-CHECK OBJECT 'Z_WERKS'
  ID 'PERSA' FIELD Z_WERKS-PERSA.

  You need to test the sy-subrc after the authority check - that will indicate whether the user has the authorisation or not.. you also often include the activity being tested e.g. generally 03 = Display, 02 = Update etc
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
    ID 'ACTVT'    FIELD '03'
    ID 'CUSTTYPE' FIELD 'B'.
  IF not SY-SUBRC is initial.
    MESSAGE E...   "put your exception here...
  ENDIF.
  see [Programming Authorization Checks  |http://help.sap.com/saphelp_nw04/helpdata/en/52/6712ac439b11d1896f0000e8322d00/content.htm] for more info.
  Jonathan

• Password inconsistancy issue with RFC users in ECC 6.0 System after upgrade

  Hi,
  We have upgraded the system from 4.7 to ECC 6.0, but facing the password inconsistancy problem for RFC users. We have set the parameters like "login/min_password_lng" as "8" and "login/password_downwards_compatibility" as "3" & RFC user Type is "system". Could you please suggest how to resolve the password inconsistancy issue.

  Hi Chandan,
  you need to run the txn. SECSTORE and there it will shows you all the RFCs that have inconsistent passwords. Please maintain the correct passwords there.
  In case the existing passwords are no longer acceptable due to new security policies as per the new SAP version, you will have to change the password from SU01.
  Regards,
  Shitij

• RFC function module always creating BPs with the same user name (RFC user )

  Hi All
  I posted the below question in a different area before. But thought it would be more suitable here.
  Moderators - Please let me know if am doing any mistake.
  Question:
  I have a RFC function module in CRM that creates Business Partners in ECC (XD01 tcode).
  I am using a dialog RFC destination configured in SM59 in CRM.
  But my RFC function module in CRM is always creating the Business Partners in ECC with the RFC user id (the user that we maintain for the RFC destination in SM59).
  This is a problem for the users because they are not able to track the actual person responsible for creating these Business Partners.
  Can somebody please let me know how to solve this problem?
  Thanks
  Raj

  Hi.
  You may use the trust relationship between CRM and R/3 and in SM59 instead of set a specific username, you set the flag "current user".
  With this flag, the system will access R/3 system with the user logged in CRM system. The Trust relationship must be created between CRM and R/3 in order to the system doesn't ask for a password to login in R/3.
  If you need more details please reply.
  Kind regards,
  Susana Messias

• How to build in user authorisation in sender soap adapter

  HI ,
  how can i built the user authorisation in sender soap adapter. either in a url or somewhere on the server .
  if anyone has an idea do let me knwo
  Thanks
  Nikhil

  Nikhil,
  <b>sender soap adapter</b> is used for ex in the case, u need some data from the DB say of a vendor. U give the name of the vendor in the site, suppose u get the contact address of the vendor from the DB.
  Sender soap adapter sends the soap request from the client to XI and from XI the request is passed to DB.
  With XI, WSDL file is generated and SOAP request is generated for the WSDL file. When the WSDL is deployed on the client application, the authorization is handled.
  For receiver SOAP adapter, it is the otherway round u r getting the data from the DB first and so the authorizations are held in XI.
  -Naveen.

• User authorisation check in ABAP-HR program

  Hi,
  Can anyone please help me on the following query ?
  I need to check user authorisation in an ABAP report at Object level, filter only relevant records based on the user's authorisation and display appropriate messages.
  The above mentioned report is purely developed by us and is not a copy of any standard report. Hence, kindly help me with your suggestions and opinions.
  Thanks and Regards,
  Manas Menon

  Create an authorisation object (SU21)
  Put an authorisation check for this object in your report (AUTHORITY-CHECK)
  Create a role that contains this object (PFCG)
  Assign this role to all the users who require access to the report (SU01).
  <REMOVED BY MODERATOR>
  Edited by: Alvaro Tejada Galindo on Feb 27, 2008 2:07 PM

• AUTO PO print out creates spool with RFC user.

  We have classic scenario where AUTO SRM PO print out spool is create with RFC user. While PO data is passing to R/3 is correct with correct user (created_by). Out put is created on the name with RFC user not with user who create SRM SC& PO. BADI BBP_CREATE_PO_BACK will help?

  Hi Vishal,
  Welcome to SDN.
  Do they use custom PO SAPScript/Smartform?
  If they do, you may want to check the print program (custom one) and the custom PO form. Perhaps there is some logic to set/display with the european decimal notation.
  If they don't, you can also check the print program setting and do debugging (if necessary) to find out the logic to assign european decimal notation. 
  Hope this will help.
  Regards,
  Ferry Lianto
  Please reward point if helpful.

• RFC User Type

  Hi
  Calling gurus.
  When gererating RFC users for the READ and TMW rfc's in Solution Manager users gets generated, and I know the user type is Communication user, however should you be forced to have to create your own users to use within this rfc would it be best to stick to communication user type, or could a system user type be used. 
  It is my understanding that logon via read rfc should not be allowed as it could be a security risk.
  If I am on the wron track please enlighten me or point me towards a conclusive best practice regarding this.
  Thanks in advance.

  Hello again Paul,
  1.-
  At the same 2008 manual "Activating the SAP EarlyWatch Alert on Solution Manager 7.0" yo can see on page 11 this:
  ...A working dialog connection such as *TRUSTED or LOGIN. Once the *BACK destination is created, these can be deleted again...
  This prerequisites are need for the creation ob RFC "_BACK" on remote system, but for remote call of sdccn the prerequisites on Page 15 are not enough !!!
  If you want to call remotely sdccn from solution manager you need a dialog trusted connection.
  I have just tested on our solution manager 5 minutes ago, you are invited to our solution manager if you want to check it.
  2.-
  What about this:
  My question is, Will take into account SAP this users for the "SAP Security user audit" ?
  Regards:
  Luis