Before you assign authorizations to RFC users, design a concept that reduces the amount of authorizations you need to assign to a minimum.
To create the concept, you must have the following information:
Application
Source system (RFC client); client
Target systems (RFC servers); client; RFC user
Required and existing authorizations (RFC and application)
Data and functions that operate through this connection
User responsible for the security of this connection
References to Revision Reports
We recommend the following procedure when you create your authorization concept:
Step 1: Analyze and document the communication relationships within the system landscape
Step 2: Trace the authorizations used by each user
Step 3: Create an authorization concept for two user groups: Service user and
'normal' user
Step 4: Fine-tune the concept for further user groups
Step 5: Monitor the assigned authorizations at regular intervals
Step 1: Checking the RFC Destinations and Logon Data
Step 1: Checking the RFC Destinations and Logon DataTo get an overview of the logon data for your RFC destinations, proceed as follows:
1. Execute the report RSRFCCHK. This lists all the RFC destinations that have been created in the system, together with their logon data (user and password). You then have an overview of all users used in RFC destinations.
2. Use transaction SU01 (user administration) to check the user type of the users in the list.
Step 2: Multilevel Implementation of an Authorization Concept for S_RFC
Step 2 Multilevel Implementation of an Authorization Concept for S_RFCUse the following procedure to restrict the set of potential RFC functions to the function groups that you actually use:
1. Activate the security audit log trace (transactions SM19 and SM20) for a lengthy period of time (about a month). This gives you a good idea about which function groups are actually being used by each user.
2. For each user who has the full authorization for S_RFC, assign only the S_RFC rights recorded in the trace.
3. Distribute the trace data to regular RFC users and RFC service users. Give each group only the authorizations that it actually needs.
Step 3: Assigning Permissions to User Groups
Step 3: Assigning Permissions to User GroupsFor each user group, define roles that contain the appropriate RFC authorizations.
Step 4: Further User Groups
Step 4: Further User GroupsFine-tune the authorization concept by defining additional groups according to function (administrators, application-specific users, managers, and so on). These groups can then be assigned appropriate roles with the required RFC authorizations.
Step 5: Monitoring
Step 5: MonitoringEvaluate the trace data from the security audit log at regular intervals and check whether you need to make any modifications.
For more information about creating security audit log traces, see the following: