Authorizations 
Assigning RFC Authorizations in the SAP System
Take the following into account when you assign RFC authorizations to users in SAP systems:
The ABAP authorization object required for using RFC is S_RFC.
The user in the target system must have this object in his or her authorization profile to be able to use RFC to connect to the target system.
Using Authorization Checks
Include authorization checks for the functions of the external system, if these functions can be called using RFC.
Any authorization checks in an external system must be defined in the logic of the relevant external application. The external application can access the following data, provided by RFC when the user logs on:
· Function name
· Client
· Language
· User
· Transaction code
You can use RfcGetAttributes to query extra system data from the calling program.
Defining Authorizations for External Server Programs
The authorizations of external server programs are controlled by the SAP Gateway. You can start external server programs from the gateway, or you can register these programs in the gateway. The security information required by the gateway to decide whether to start or register external server programs is stored in the file secinfo. This file is located in the path specified in the profile parameter gw/sec_info. The default is /usr/sap/<SID>/<instance>/data/secinfo.
If this file does not exist, then there are no restrictions on starting or registering external server programs. We recommend that you use this file and keep it up-to-date.
To define the authorizations for starting or registering external programs, modify the secinfofile by entering information as follows:
- Authorizations for Starting External Server Programs
Enter the following line to give the SAP system user <SAP user> the authorization to start the external server program <external program> on the computer <server>:
USER=<SAP user>, [PWD=<CPIC password>,] [USER-HOST=<client>,] HOST=<server>, TP=<external program>;
The optional parameter <client> specifies the client from which the user logs on to the gateway to start the server program.
The optional parameter <CPIC password> is used only for CPI-C calls and enables you to define a password for the connection. (In your own CPI-C developments, you can define passwords with the function module CMSCSP.)
- Authorizations for Registering External Programs in the SAP Gateway
Enter the following lines to enable a server program on the server <server>to register itself as <program ID>in the SAP Gateway:
USER=*, HOST=<server>, TP=<program ID>;
You must always specify USER=*, although this parameter is not used any further.
You use this method to specify which server programs can register themselves in an SAP Gateway.
- To allow operating system commands or the execution of external programs in background job steps, make an entry for the program sapxpg in the secinfo file for all instance gateways.
Further Information
For detailed information about configuring and implementing the gateway, see SAP Note 110612 and the SAP Library:
SAP
Gateway· For information about setting up the authorization object S_RFC, see the following: