S_RFC Function Groups
Hello experts:
I am currently using S_RFC with full authorization ( * ) for RFC users in satellite systems. Can anyone clarify what this implies in terms of security? Can I restrict the "Name of RFC to be protected" field only to the function groups requiered for each user?
Particulary, I am using an RFC connection for the test workbench through SolMan using trx STWB_WORK? Do the function groups requiered depend on the transaction or program I am testing through my assigned test package? If so, how can I find out which function groups a particular transaction or program requieres? If not, does it depend on the program or transaction from which I am making the RFC connection, in this case STWB_WORK?
Can someone shed some light on how to determine the strictly necessary function groups to be assigned in S_RFC?
Thank you all,
Henry
Hello Henry,
While we wait for somebody more knowledgable than myself to answer, some comments from me:
My understanding is that this tool uses eCATT (to retrieve the results of test cases) from remote systems.
Always usefull => Activate the security audit log (transaction SM19) using the dynamic tab to log all successfull RFC calls to find out which calls are made in those systems, and in your SolMan.
Also take a look at the function groups of transaction SECATT in transaction SU24 which might have a "Proposal" (previously "Check/Maintain" value), as they may appear in the audit log in your remote systems... (I am not sure what the default values are).
There is also a SAP note "Minimum authorizations for Workplace users" (Note 215927) which might be usefull for you.
I also think the access required (not only S_RFC) will be dependent on your test cases (begging the question: How can SAP deliver a correct default or role...). You can also mitigate this risk by not saving the logon data permanently in the connections...
Of course, the application authorizations (e.g. S_DEVELOP, S_USER_GRP, and many others...) are also important for security, and the user type for the connection (type SYSTEM is the recommended type, if the logon data is going to be saved) as well. You might also want the user to logon when the connection is opened, if they are running the test themselves..?
Another aspect is how your target system is setup? If an invoced RFC call leaves it's RFC group (and is able to!), do you want to be able determine which RFC_NAME groups it can call? Or do you want to prevent it using client settings (see tha CATT / eCATT restrictions in SCC4 for your release) and system settings for the RFC check?
Some alternate strategies are to accept the risk, use dedicated user IDs for the test cases and secure the access to this transaction (not only limited to STWB_WORK) in the source system (your SolMan). Though some security folks I know prefer securing the target, as a general security principle, you can make a "quick-win" by securing your SolMan security...
Tricky topic. Good question!
Cheers,
Julius
Similar Messages
-
How to add a function-group to authorization object S_RFC ?
I have implemented a function group, that is to be called from "the outside" via RFC-calls.
Have been told that this func.group has to be added to object S_RFC, and assigned to the user(s) that are going to use this call.
Where, in the SAP-system, do we maintain theese connections ?
(I'm new to the SAP-world, and hope someone will give me some help...Hi
I believe you should insert the authority-check in the fms of your function group:
AUTHORITY-CHECK OBJECT 'S_RFC'
ID 'RFC_TYPE' FIELD <value>
ID 'RFC_NAME' FIELD <value>
ID 'ACTVT' FIELD <value>
This object has to assign to profile of all users who'll use those fms.
You can manage the profile by trx PFCG.
Max -
How to add function group to the authorization object S_RFC ?
Hi All,
Can you please tell you how to add the function group FG_DIAGLS_DATA_ENRICHMENT to the authorization object
S_RFC?
In solman_setup under basis configuration when I execute the step "SetupDPC/DCC Web Service URL" its getting failed because of the
following error which i found it in the agent log
"java.rmi.RemoteException:RfcExecutionException; nested exception is:
com.sap.sup.admin.abap.rfc.exception.RfcExecutionException: An
exceptionoccured during the execution of the function
'FM_DIAGLS_PUSH_PHYSICAL_HOST': RFC_NO_AUTHORITY >
com.sap.sup.admin.abap.rfc.exception.RfcExecutionException:An exception
occured during the execution of the function
'FM_DIAGLS_PUSH_PHYSICAL_HOST': RFC_NO_AUTHORITY >
com.sap.mw.jco.JCO$Exception:No RFC authorization for function module
FM_DIAGLS_PUSH_PHYSICAL_HOST. <Mid"
Thanks,
Satheesh EHi,
Please follow below steps:
1) Go to SE01
2) Click on create New workbench request and give desc once popup appears, Click Ok
3) Now open the trasport in edit mode
4) Add
Program ID - R3TR
Object Type - FUGR
Object name - Name of the Function group
>note that if you tranport Function group all the latest Function modules in function group along
>with screens will be included in the transport.
Regards
Shital
Formatted by: Vijay Babu Dudla on Apr 25, 2009 5:08 AM -
Dangers for full S_RFC authorization - for all function groups
Hi,
I have recently received a stern warning about all the bad things that can happen if you give users full authorization for S_RFC. This allows the user to use all function modules that use RFC (remote function calls).
As all our standard reporting users need at least some RFC function modules, I simply awarded them all of them. Tracing this (running, changing, creating, deleting queries, planning, consolidation) in Excel and Web would have been too tedious.
Apparently, full authorization together with the table browser transaction (SE16) would allow a user to read all available data!?
The same result is said to be possible if you create some special excel macros which would in turn call an RFC function module.
Is this true?
How could it be done?
Has anybody a complete list of all the RFC function modules needed for reporting an planning in SAP BI?
Any advice on these issues will be very much appreciated.
MartinHi Martin,
I am not sure of my answer will help you or not. But if you are talking abt the S_RFC authorizations needed for a reporting user in BI 7, here it is..
Authorization Check for RFC Access S_RFC
RFC authorization for function group:
RFC1
RFCH
RRMX
RRXWS
RRY1
RSAH
RSBOLAP_BICS
RSBOLAP_BICS_CONSUMER
RSBOLAP_BICS_PROVIDER
RSBOLAP_BICS_PROVIDER_VAR
RSFEC
RSMENU
RSOBJS_RFC_INTERFACE
RSRCI_LOCAL_VIEW
RSR_XLS_RFC
RSWAD
RSWRTEMPLATE
RS_BEX_REPORT_RFC
RS_IGS
RS_PERS_BOD
RZX0
RZX2
SDIFRUNTIME
SM02
SMHB
SRFC
SUNI
SUSO
SYST
SYSU
Type of RFC object to be protected FUGR
This is the minimum RFC authorizations required for a reporting user to exicute the report in BI. I am not sure abt the Excel macros stuff.
Reward points of my my answer helped.. -
Hi,
I have configured my UWL but could not see any work items in the Portal. Checked the user's RFC authorization to fuction group SWK1 via fuction module AUTHORITY_CHECK_RFC, and found that he didn't have that. How do I give a user RFC authorization to function group SWK1?
Any help is much appreciated. Thank you.
Best Regards,
Hapizorr Rozi AliasHello,
You have to manually add the authorization object S_RFC from tocde: PFCG -> Edit the role you want -> Authorization tab -> Change authorization data -> From the menu: Edit -> Insert authorization -> Manual input -> Add the auth object S_RFC here -> Now you will see the object and make the required entries
Your SAP security admin should be easily able to assist you with this issue.
Best Regards,
Phani - SAP Basis Expert. -
Adding authorization object for "Function Group"s ?
Is it possible to add any authorization object for any function group ?
We have an issue i.e. whenever user "XYZ" is getting some Windows Excel related error whenever trying call an excel report from BW server. System log related to "XYZ" user shows that -> User "XYZ" has no RFC authorization for the function group "ABCD". The RFC authorization object is S_RFC.
Function Group you can check through SE37->GoTO->Display Function Group
Now is it possible to add authorization for any "Function Group" ?You give authorisation for all function groups by giving auth object S_RFC a * value in field RFC_NAME
However I do not recommend this as giving wide access to RFC's can bypass a lot of the security you have implemented for the users.
In this case, add only the function group that the user requires in this instance into S_RFC -
User has no authorization for Function group SYST
Hi,
We are starting to make customisation to B2B application. I have just created a new project for B2B_XXXX application and deployed it on the server. When I run this custom application, I am not able to login using the same user that is working fine for the standard B2B application.
Following is the error I am getting
ERROR 1 - RFC_ERROR_LOGON_FAILURE: User INTUSER05 has no RFC authorization for function group SYST
ERROR 2- The application was not able to switch to a stateful connection......
Strange thing is that the same user works very well for standard B2B.
Any clue? All I have done is created a CUSTCRMPRJ for B2B ERP (SHRWEB, SHRAPP). Please help.
Best regards,
-Tarun
Edited by: Tarun Bakshi on Nov 10, 2011 7:37 PMHi Shanto,
The problem is still occuring. Even If I give s_rfc authorisation the order is not being created.
I compared the source code for b2b and b2b_custom application, I have pasted below the component info
sap.com CORE-TOOLS 7.00 SP14 (1000.7.00.14.0.20071210170909) SAP AG SAP AG 20080125132852
sap.com SAP_JTECHF 7.00 SP14 (1000.7.00.14.0.20071210172424) SAP AG SAP AG 20080125132853
sap.com BASETABLES 7.00 SP14 (1000.7.00.14.0.20071210170411) SAP AG SAP AG 20080125132853
sap.com SAP-JEECOR 7.00 SP14 (1000.7.00.14.0.20071210172300) SAP AG SAP AG 20080125132852
sap.com JLOGVIEW 7.00 SP14 (1000.7.00.14.0.20071210160700) SAP AG SAP AG 20080125132853
sap.com SAP-JEE 7.00 SP14 (1000.7.00.14.0.20071210172039) SAP AG SAP AG 20080125132853
sap.com SAP_JTECHS 7.00 SP14 (1000.7.00.14.0.20071210172719) SAP AG SAP AG 20080125133813
sap.com BI_UDI 7.00 SP14 (1000.7.00.14.0.20071210170522) SAP AG SAP AG 20080125133909
sap.com BI_MMR 7.00 SP14 (1000.7.00.14.0.20071210170459) SAP AG SAP AG 20080125133230
sap.com UMEADMIN 7.00 SP14 (1000.7.00.14.0.20071210164800) SAP AG MAIN_APL70VAL_C 20080125140341
sap.com LM-TOOLS 7.00 SP14 (1000.7.00.14.1.20080124101556) SAP AG MAIN_APL70P14_C 20080125134809
sap.com SAP-SHRWEB 6.0 SP0 (1000.6.0.0.2.20080129095806) SAP AG MAIN_CRM70PAT_C 20110608153828
sap.com SAP-SHRAPP 6.0 SP0 (1000.6.0.0.2.20080128172843) SAP AG MAIN_CRM70PAT_C 20110608154506
b2b_custom application has been created by using code from the following SCs that were added to the track
SAPSHRWEB10_7-20003522.SCA
SAPSHRAPP10_7-20003520.SCA
SAPCRMWEB10_7-20003518.SCA
SAPCRMAPP10_7-20003516.SCA
SAPCRMDIC10_0-20003519.SCA
STRUTS01_0-10003646.SCA
SAPIPCMSA10_0-20003515.SCA
SAPCRMJAV10_7-20003517.SCA
SAPSHRJAV10_7-20003521.SCA
TEALEAF00_0-20001451.SCA
SAPBUILDT14_0-10003479.SCA
Any help would be great... -
No RFC authorization for function group RFC2
When I am trying to import RFCs/IDOCs from ECC to XI in the integration repository, I am getting this error:
User has no RFC authorization for function group RFC2.
Any input is appreciated.
Thanks,
tnvHi tnv,
I guess you have to use an authorization object S_RFC with parameters.. In your case, you would need to set
RFC_TYPE=FUGR
RFC_NAME=RFC2
See this link
http://help.sap.com/saphelp_nw04/helpdata/en/6b/af429b12e9214d9a2d6cba921b162f/frameset.htm
Hope this solves ur problem!
cheers
Prashanth
P.S Please mark helpful answers -
User PI_JCO_RFC has no RFC authorization for function group ERFC
I am doing IDOC-File scenario between newly installed PI and ECC 6.0 systems.
I have done all the configurations on XI and R/3 end.
When I TEST to send an IDOC from WE19, I could do it successfully and the status is 03 in we02.
But when I go and check SM58, I get the said error: User PI_JCO_RFC has no RFC authorization for function group ERFC.
From that I understand RFC in R/3 end require some authorizations. Am I right? If so, what objects need to be added my user role?
Please advise.
Thanks
ShivaHi,
Try to add the following authorization object to the role(s) of the RFC user:
S_RFC
Set the following authorizations:
RFC_TYPE = FUGR (function group)
RFC_NAME = <name of the function group containing the BAPI>
ACTVT = 16 (execute)
Regards
Seshagiri -
Has no RFC authorization for function group ZRFC_XI
Hi All,
I have a scenario where I am calling RFC inside the BPM. When I execute I got the errror as
User SKXXXXX has no RFC authorization for function group ZRFC_XI
I have gone though the form
no RFC authorization for function group RFC2
User abcd has no RFC authorization for function group SYST
and I understood that we need to set authroization object S_RFC with RFC_TYPE = FUGR, RFC_NAME = SYST and ACTVT = 16. I think we need to set this to XIISUSER and the password and for PI7.0 user PIISUSER and its password
But not able to understand where we need to do this activity. I request you to kindly let me know how to assign this object... do we need to assign in SAP system or in XI system. please help me out on this problem.
Regards,
DhillDhil,
I never worked on these stuffs. But I found some useful stuff ,I think surely it will help u.
http://sap.ittoolbox.com/groups/technical-functional/sap-basis/please-how-to-create-an-authorization-object-386391
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
Best regards,
raj. -
User SIMPCDIA has no RFC authorization for function group BBPC
Hello all, I am working with SRM 7.0 and when I try to list all account values in the corresponding matchcode, I have this error message:
User SIMPCDIA has no RFC authorization for function group BBPC
User SIMPCDIA is a dialog user created in backend system with authorization objetc S_RFC. I don´t know what is the problem...
Can you help me please?
Thanks in advance
Rosa RodríguezTry testing with a user that has the 'SAP_ALL' profile
OR
see if below link is helpful to you.
[Probable Solution|http://www.sapkb.com/question.php?ID=10]
Edited by: Saurabh Agarwal on Sep 1, 2010 11:59 AM -
User abcd has no RFC authorization for function group SYST
hi,
We are trying to http<>XI<>RFC scenario.
When we are sending request from http to xI.
We got the followin response.
<b>"User abcd has no RFC authorization for function group SYST"</b>
Kindly let me know what authorization to be given to the user abcd.
Regards,
Nishitayou need to give that user auth. object S_RFC for FUGR SYST and activity *.
You can double check in transaction SU53 of the target system which check failed for the respective user. There it should show the auth. object mentioned above.
Regards
Christine -
Function group / Function modules approvals
Hi,
We have couple of function modules related to RFC / BAPI in QA we need to give approvals before we move them to production.
What precautions do we need to take before approving?
How to segregate Function groups / Function modules?
Thanks,
RamWell you should test function groups and function module coding as per your normal procedures. They are widely used.
Whether they are accessible depends on your roles, right?
Which release are you on?
Prior release 7.01 you can only control at function group level with object S_RFC.
Subsequently you can use RFC_TYPE 'FUNC' to control at module name level if FUGR fails.
Luckily, this check is central and to my knowledge only one developer ever hardcoded it for list outputs, so you should be okay to convert for manual authorizations.
For standard ones from the menu, you will need to deactivate S_RFC (there is not option to un-merge, unfortunately..........). Easiest is to get the names from the menu and paste them into the manual authorization, or use a Su24 "dummy" for the role or scenario.
Dummy's are usefull workarounds and protect you against upgrades as well... (when SAP adds a load of stuff because GRC needs it, and then toasts your roles, sets active auths to inactive and adds new ones which are merged automatically...)
Cheers,
Julius -
User has no authorisation for function group SYST?
Hi All,
I was trying to open Bex Analyzer in BI 7.0.
I am getting the error as mentioned below:
"User has no authorisation for function group SYST".
Why is it so.
Please reply.
Thanks in Advance.Unless you have full authorizations (SAP_ALL / SAP_NEW) you have to grant authorizations for each activity.
With PFCG, add the following RFC on Authorization Object S_RFC:
RFC1
RS*
SDIFRUNTIME
SYST
SYSU
Hope it helps
GFV -
Programming an Exit in a Maintenance View Function Group
Hi all,
I have the requirement to fill some administrative data fields of a table which is maintained using a generated maintenance dialog and a maintenance function group. Does anyone have an example of how one can do this?I defined a subroutine to be called before the data is saved to the database, but I have no clue where exactly I must implement this subroutine and how i can reach the data of function group, or which data to reach?Thanks.
Kind Regards,
SukruHi Sukru,
go to your table maintenance, throught SE11 or directly SE56.
Set your table name and go to menu Environment > Modifications.
There you can enhance your table maintenance.
Just remember that if you regenerate source code you will lose your custom modifications.
Regards,
Frisoni
Maybe you are looking for
-
How to call a dialog program with return value in another dialog program
Dear All, How can I call a dialog program with return value from another dialog program? Regards, Alok.
-
Lost files in premiere pro after installing photosop
hi, I lost all my premiere pro files after installing photoshop. The same happened probably 3 months ago when I switched from full package subscription to just one program. Any help with that? is there a way to get my files back? I didnt backup my co
-
It is now so slow to load pages - I can have coffee and then maybe a page has loaded. Otherwise it's "embarrassed" because it cannot load pages/ bookmarks. This version is terrible - can you not put back the previous version till you've sorted out th
-
Role for only creating Infopackages
Hi, We would like to give authorizations only for creating Infopackages in Quality system . I mean remaining things others only should have Display access.. Please let me know the procedure for procedinng this Thanks in advance..
-
Adjustment brush problem in Delelop Module
The adjustment brush in the Develop Module doesn't show any effect when I try to use them in Lightroom 5