S_RFC Function Groups

Hello experts:
I am currently using S_RFC with full authorization ( * ) for RFC users in satellite systems. Can anyone clarify what this implies in terms of security? Can I restrict the "Name of RFC to be protected" field only to the function groups requiered for each user?
Particulary, I am using an RFC connection for the test workbench through SolMan using trx STWB_WORK? Do the function groups requiered depend on the transaction or program I am testing through my assigned test package? If so, how can I find out which function groups a particular transaction or program requieres? If not, does it depend on the program or transaction from which I am making the RFC connection, in this case STWB_WORK?
Can someone shed some light on how to determine the strictly necessary function groups to be assigned in S_RFC?
Thank you all,
Henry

Hello Henry,
While we wait for somebody more knowledgable than myself to answer, some comments from me:
My understanding is that this tool uses eCATT (to retrieve the results of test cases) from remote systems.
Always usefull => Activate the security audit log (transaction SM19) using the dynamic tab to log all successfull RFC calls to find out which calls are made in those systems, and in your SolMan.
Also take a look at the function groups of transaction SECATT in transaction SU24 which might have a "Proposal" (previously "Check/Maintain" value), as they may appear in the audit log in your remote systems... (I am not sure what the default values are).
There is also a SAP note "Minimum authorizations for Workplace users" (Note 215927) which might be usefull for you.
I also think the access required (not only S_RFC) will be dependent on your test cases (begging the question: How can SAP deliver a correct default or role...). You can also mitigate this risk by not saving the logon data permanently in the connections...
Of course, the application authorizations (e.g. S_DEVELOP, S_USER_GRP, and many others...) are also important for security, and the user type for the connection (type SYSTEM is the recommended type, if the logon data is going to be saved) as well. You might also want the user to logon when the connection is opened, if they are running the test themselves..?
Another aspect is how your target system is setup? If an invoced RFC call leaves it's RFC group (and is able to!), do you want to be able determine which RFC_NAME groups it can call? Or do you want to prevent it using client settings (see tha CATT / eCATT restrictions in SCC4 for your release) and system settings for the RFC check?
Some alternate strategies are to accept the risk, use dedicated user IDs for the test cases and secure the access to this transaction (not only limited to STWB_WORK) in the source system (your SolMan). Though some security folks I know prefer securing the target, as a general security principle, you can make a "quick-win" by securing your SolMan security...
Tricky topic. Good question!
Cheers,
Julius

Similar Messages

  • How to add a function-group to authorization object S_RFC ?

    I have implemented a function group, that is to be called from "the outside" via RFC-calls.
    Have been told that this func.group has to be added to object S_RFC, and assigned to the user(s) that are going to use this call.
    Where, in the SAP-system, do we maintain theese connections ?
    (I'm new to the SAP-world, and hope someone will give me some help...

    Hi
    I believe you should insert the authority-check in the fms of your function group:
    AUTHORITY-CHECK OBJECT 'S_RFC'
    ID 'RFC_TYPE' FIELD <value>
    ID 'RFC_NAME' FIELD <value>
    ID 'ACTVT'    FIELD <value>
    This object has to assign to profile of all users who'll use those fms.
    You can manage the profile by trx PFCG.
    Max

  • How to add function group to the  authorization object S_RFC ?

    Hi All,
    Can you  please tell you how to add the function group FG_DIAGLS_DATA_ENRICHMENT  to the authorization object
    S_RFC?
    In solman_setup under basis configuration when I execute the step "SetupDPC/DCC Web Service URL" its getting failed because of the
    following error which i found it in the agent log
    "java.rmi.RemoteException:RfcExecutionException; nested exception is:
    com.sap.sup.admin.abap.rfc.exception.RfcExecutionException: An
    exceptionoccured during the execution of the function
    'FM_DIAGLS_PUSH_PHYSICAL_HOST': RFC_NO_AUTHORITY >
    com.sap.sup.admin.abap.rfc.exception.RfcExecutionException:An exception
    occured during the execution of the function
    'FM_DIAGLS_PUSH_PHYSICAL_HOST': RFC_NO_AUTHORITY >
    com.sap.mw.jco.JCO$Exception:No RFC authorization for function module
    FM_DIAGLS_PUSH_PHYSICAL_HOST. <Mid"
    Thanks,
    Satheesh E

    Hi,
    Please follow below steps:
    1) Go to SE01
    2) Click on create New workbench request and give desc once popup appears, Click Ok
    3) Now open the trasport in edit mode
    4) Add
    Program ID - R3TR
    Object Type - FUGR
    Object name - Name of the Function group
    >note that if you tranport Function group all the latest Function modules in function group along
    >with screens will be included in the transport.
    Regards
    Shital
    Formatted by: Vijay Babu Dudla on Apr 25, 2009 5:08 AM

  • Dangers for full S_RFC authorization - for all function groups

    Hi,
    I have recently received a stern warning about all the bad things that can happen if you give users full authorization for S_RFC. This allows the user to use all function modules that use RFC (remote function calls).
    As all our standard reporting users need at least some RFC function modules, I simply awarded them all of them. Tracing this (running, changing, creating, deleting queries, planning, consolidation) in Excel and Web would have been too tedious.
    Apparently, full authorization together with the table browser transaction (SE16) would allow a user to read all available data!?
    The same result is said to be possible if you create some special excel macros which would in turn call an RFC function module.
    Is this true?
    How could it be done?
    Has anybody a complete list of all the RFC function modules needed for reporting an planning in SAP BI?
    Any advice on these issues will be very much appreciated.
    Martin

    Hi Martin,
    I am not sure of my answer will help you or not. But if you are talking abt the S_RFC authorizations needed for a reporting user in BI 7, here it is..
    Authorization Check for RFC Access                           S_RFC
    RFC authorization for function group:       
    RFC1
    RFCH
    RRMX
    RRXWS
    RRY1
    RSAH
    RSBOLAP_BICS
    RSBOLAP_BICS_CONSUMER
    RSBOLAP_BICS_PROVIDER
    RSBOLAP_BICS_PROVIDER_VAR
    RSFEC
    RSMENU
    RSOBJS_RFC_INTERFACE
    RSRCI_LOCAL_VIEW
    RSR_XLS_RFC
    RSWAD
    RSWRTEMPLATE
    RS_BEX_REPORT_RFC
    RS_IGS
    RS_PERS_BOD
    RZX0
    RZX2
    SDIFRUNTIME
    SM02
    SMHB
    SRFC
    SUNI
    SUSO
    SYST
    SYSU
    Type of RFC object to be protected   FUGR
    This is the minimum RFC authorizations required for a reporting user to exicute the report in BI. I am not sure abt the Excel macros stuff.
    Reward points of my my answer helped..

  • UWL and function group swk1

    Hi,
    I have configured my UWL but could not see any work items in the Portal. Checked the user's RFC authorization to fuction group SWK1 via fuction module AUTHORITY_CHECK_RFC, and found that he didn't have that. How do I give a user RFC authorization to function group SWK1?
    Any help is much appreciated. Thank you.
    Best Regards,
    Hapizorr Rozi Alias

    Hello,
          You have to manually add the authorization object S_RFC from tocde: PFCG -> Edit the role you want -> Authorization tab -> Change authorization data -> From the menu: Edit -> Insert authorization -> Manual input -> Add the auth object S_RFC here -> Now you will see the object and make the required entries
    Your SAP security admin should be easily able to assist you with this issue.
    Best Regards,
    Phani - SAP Basis Expert.

  • Adding authorization object for "Function Group"s ?

    Is it possible to add any authorization object for any function group ?
    We have an issue i.e. whenever user "XYZ" is getting some Windows Excel related error whenever trying call an excel report from BW server. System log related to "XYZ" user shows that -> User "XYZ" has no RFC authorization for the function group "ABCD". The RFC authorization object is S_RFC.
    Function Group you can check through SE37->GoTO->Display Function Group
    Now is it possible to add authorization for any "Function Group" ?

    You give authorisation for all function groups by giving auth object S_RFC a * value in field RFC_NAME
    However I do not recommend this as giving wide access to RFC's can bypass a lot of the security you have implemented for the users.
    In this case, add only the function group that the user requires in this instance into S_RFC

  • User has no authorization for Function group SYST

    Hi,
    We are starting to make customisation to B2B application. I have just created a new project for B2B_XXXX application and deployed it on the server. When I run this custom application, I am not able to login using the same user that is working fine for the standard B2B application.
    Following is the error I am getting
    ERROR 1 - RFC_ERROR_LOGON_FAILURE: User INTUSER05 has no RFC authorization for function group SYST
    ERROR 2-  The application was not able to switch to a stateful connection......
    Strange thing is that the same user works very well for standard B2B.
    Any clue? All I have done is created a CUSTCRMPRJ for B2B ERP (SHRWEB, SHRAPP). Please help.
    Best regards,
    -Tarun
    Edited by: Tarun Bakshi on Nov 10, 2011 7:37 PM

    Hi Shanto,
    The problem is still occuring. Even If I give s_rfc authorisation the order is not being created.
    I compared the source code for b2b and b2b_custom application, I have pasted below the component info
    sap.com      CORE-TOOLS      7.00 SP14 (1000.7.00.14.0.20071210170909)      SAP AG      SAP AG      20080125132852
    sap.com      SAP_JTECHF      7.00 SP14 (1000.7.00.14.0.20071210172424)      SAP AG      SAP AG      20080125132853
    sap.com      BASETABLES      7.00 SP14 (1000.7.00.14.0.20071210170411)      SAP AG      SAP AG      20080125132853
    sap.com      SAP-JEECOR      7.00 SP14 (1000.7.00.14.0.20071210172300)      SAP AG      SAP AG      20080125132852
    sap.com      JLOGVIEW      7.00 SP14 (1000.7.00.14.0.20071210160700)      SAP AG      SAP AG      20080125132853
    sap.com      SAP-JEE      7.00 SP14 (1000.7.00.14.0.20071210172039)      SAP AG      SAP AG      20080125132853
    sap.com      SAP_JTECHS      7.00 SP14 (1000.7.00.14.0.20071210172719)      SAP AG      SAP AG      20080125133813
    sap.com      BI_UDI      7.00 SP14 (1000.7.00.14.0.20071210170522)      SAP AG      SAP AG      20080125133909
    sap.com      BI_MMR      7.00 SP14 (1000.7.00.14.0.20071210170459)      SAP AG      SAP AG      20080125133230
    sap.com      UMEADMIN      7.00 SP14 (1000.7.00.14.0.20071210164800)      SAP AG      MAIN_APL70VAL_C      20080125140341
    sap.com      LM-TOOLS      7.00 SP14 (1000.7.00.14.1.20080124101556)      SAP AG      MAIN_APL70P14_C      20080125134809
    sap.com      SAP-SHRWEB      6.0 SP0 (1000.6.0.0.2.20080129095806)      SAP AG      MAIN_CRM70PAT_C      20110608153828
    sap.com      SAP-SHRAPP      6.0 SP0 (1000.6.0.0.2.20080128172843)      SAP AG      MAIN_CRM70PAT_C      20110608154506
    b2b_custom application has been created by using code from the following SCs that were added to the track
    SAPSHRWEB10_7-20003522.SCA
    SAPSHRAPP10_7-20003520.SCA
    SAPCRMWEB10_7-20003518.SCA
    SAPCRMAPP10_7-20003516.SCA
    SAPCRMDIC10_0-20003519.SCA
    STRUTS01_0-10003646.SCA
    SAPIPCMSA10_0-20003515.SCA
    SAPCRMJAV10_7-20003517.SCA
    SAPSHRJAV10_7-20003521.SCA
    TEALEAF00_0-20001451.SCA
    SAPBUILDT14_0-10003479.SCA
    Any help would be great...

  • No RFC authorization for function group RFC2

    When I am trying to import RFCs/IDOCs from ECC to XI in the integration repository, I am getting this error:
    User has no RFC authorization for function group RFC2.
    Any input is appreciated.
    Thanks,
    tnv

    Hi tnv,
    I guess you have to use an authorization object S_RFC with parameters.. In your case, you would need to set
    RFC_TYPE=FUGR
    RFC_NAME=RFC2
    See this link
    http://help.sap.com/saphelp_nw04/helpdata/en/6b/af429b12e9214d9a2d6cba921b162f/frameset.htm
    Hope this solves ur problem!
    cheers
    Prashanth
    P.S Please mark helpful answers

  • User PI_JCO_RFC has no RFC authorization for function group ERFC

    I am doing IDOC-File scenario between newly installed PI and ECC 6.0 systems.
    I have done all the configurations on XI and R/3 end.
    When I TEST to send an IDOC from WE19, I could do it successfully and the status is 03 in we02.
    But when I go and check SM58, I get the said error: User PI_JCO_RFC has no RFC authorization for function group ERFC.
    From that I understand RFC in R/3 end require some authorizations. Am I right? If so, what objects need to be added my user role?
    Please advise.
    Thanks
    Shiva

    Hi,
    Try to add the following authorization object to the role(s) of the RFC user:
    S_RFC
    Set the following authorizations:
    RFC_TYPE = FUGR (function group)
    RFC_NAME = <name of the function group containing the BAPI>
    ACTVT = 16 (execute)
    Regards
    Seshagiri

  • Has no RFC authorization for function group ZRFC_XI

    Hi All,
       I have a scenario where I am calling RFC inside the BPM.  When I execute I got the errror as
    User SKXXXXX has no RFC authorization for function group ZRFC_XI
    I have gone though the form
    no RFC authorization for function group RFC2
    User abcd has no RFC authorization for function group SYST
    and I understood that  we need to set authroization object S_RFC with RFC_TYPE = FUGR, RFC_NAME = SYST and ACTVT = 16. I think we need to set this to XIISUSER and the password and for PI7.0 user PIISUSER and its password
    But not able to understand where we need to do this activity.  I request you to kindly let me know how to assign this object... do we need to assign in SAP system or in XI system.  please help me out on this problem.
    Regards,
    Dhill

    Dhil,
    I never worked on these stuffs. But I found some useful stuff ,I think surely it will help u.
    http://sap.ittoolbox.com/groups/technical-functional/sap-basis/please-how-to-create-an-authorization-object-386391
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
    Best regards,
    raj.

  • User SIMPCDIA has no RFC authorization for function group BBPC

    Hello all, I am working with SRM 7.0 and when I try to list all account values in the corresponding matchcode, I have this error message:
    User SIMPCDIA has no RFC authorization for function group BBPC
    User SIMPCDIA is a dialog user created in backend system with authorization objetc S_RFC. I don´t know what is the problem...
    Can you help me please?
    Thanks in advance
    Rosa Rodríguez

    Try testing with a user that has the 'SAP_ALL' profile
    OR
    see if below link is helpful to you.
    [Probable Solution|http://www.sapkb.com/question.php?ID=10]
    Edited by: Saurabh Agarwal on Sep 1, 2010 11:59 AM

  • User abcd has no RFC authorization for function group SYST

    hi,
       We are trying to http<>XI<>RFC scenario.
    When we are  sending request from http to xI.
    We got the followin response.
    <b>"User abcd has no RFC authorization for function group SYST"</b>
    Kindly let me know what authorization to be given to the user abcd.
    Regards,
    Nishita

    you need to give that user auth. object S_RFC for FUGR SYST and activity *.
    You can double check in transaction SU53 of the target system which check failed for the respective user. There it should show the auth. object mentioned above.
    Regards
    Christine

  • Function group / Function modules approvals

    Hi,
    We have couple of function modules related to RFC / BAPI in QA we need to give approvals before we move them to production.
    What precautions do we need to take before approving?
    How to segregate Function groups / Function modules?
    Thanks,
    Ram

    Well you should test function groups and function module coding as per your normal procedures. They are widely used.
    Whether they are accessible depends on your roles, right?
    Which release are you on?
    Prior release 7.01 you can only control at function group level with object S_RFC.
    Subsequently you can use RFC_TYPE 'FUNC' to control at module name level if FUGR fails.
    Luckily, this check is central and to my knowledge only one developer ever hardcoded it for list outputs, so you should be okay to convert for manual authorizations.
    For standard ones from the menu, you will need to deactivate S_RFC (there is not option to un-merge, unfortunately..........). Easiest is to get the names from the menu and paste them into the manual authorization, or use a Su24 "dummy" for the role or scenario.
    Dummy's are usefull workarounds and protect you against upgrades as well... (when SAP adds a load of stuff because GRC needs it, and then toasts your roles, sets active auths to inactive and adds new ones which are merged automatically...)
    Cheers,
    Julius

  • User has no authorisation for function group SYST?

    Hi All,
    I was trying to open Bex Analyzer in BI 7.0.
    I am getting the error as mentioned below:
    "User has no authorisation for function group SYST".
    Why is it so.
    Please reply.
    Thanks in Advance.

    Unless you have full authorizations (SAP_ALL / SAP_NEW) you have to grant authorizations for each activity.
    With PFCG, add the following RFC on Authorization Object S_RFC:
    RFC1
    RS*
    SDIFRUNTIME
    SYST
    SYSU
    Hope it helps
    GFV

  • Programming an Exit in a Maintenance View Function Group

    Hi all,
    I have the requirement to fill some administrative data fields of a table which is maintained using a generated maintenance dialog and a maintenance function group. Does anyone have an example of how one can do this?I defined a subroutine to be called before the data is saved to the database, but I have no clue where exactly I must implement this subroutine and how i can reach the data of function group, or which data to reach?Thanks.
    Kind Regards,
    Sukru

    Hi Sukru,
    go to your table maintenance, throught SE11 or directly SE56.
    Set your table name and go to menu Environment > Modifications.
    There you can enhance your table maintenance.
    Just remember that if you regenerate source code you will lose your custom modifications.
    Regards,
    Frisoni

Maybe you are looking for