Show TOC

Creating an Authorization Concept for RFCLocate this document in the navigation structure


Before you assign authorizations to RFC users, design a concept that reduces the amount of authorizations you need to assign to a minimum.


To create the concept, you must have the following information:

  • Application

  • Source system (RFC client); client

  • Target systems (RFC servers); client; RFC user

  • Required and existing authorizations (RFC and application)

  • Data and functions that operate through this connection

  • User responsible for the security of this connection

  • References to Revision Reports


We recommend the following procedure when you create your authorization concept:

Step 1: Analyze and document the communication relationships within the system landscape

Step 2: Trace the authorizations used by each user

Step 3: Create an authorization concept for two user groups: Service user and

'normal' user

Step 4: Fine-tune the concept for further user groups

Step 5: Monitor the assigned authorizations at regular intervals

Step 1: Checking the RFC Destinations and Logon Data

Step 1: Checking the RFC Destinations and Logon Data

To get an overview of the logon data for your RFC destinations, proceed as follows:

1. Execute the report RSRFCCHK. This lists all the RFC destinations that have been created in the system, together with their logon data (user and password). You then have an overview of all users used in RFC destinations.

2. Use transaction SU01 (user administration) to check the user type of the users in the list.

Step 2: Multilevel Implementation of an Authorization Concept for S_RFC

Step 2 Multilevel Implementation of an Authorization Concept for S_RFC

Use the following procedure to restrict the set of potential RFC functions to the function groups that you actually use:

1. Activate the security audit log trace (transactions SM19 and SM20) for a lengthy period of time (about a month). This gives you a good idea about which function groups are actually being used by each user.

2. For each user who has the full authorization for S_RFC, assign only the S_RFC rights recorded in the trace.

3. Distribute the trace data to regular RFC users and RFC service users. Give each group only the authorizations that it actually needs.

Step 3: Assigning Permissions to User Groups

Step 3: Assigning Permissions to User Groups

For each user group, define roles that contain the appropriate RFC authorizations.

Step 4: Further User Groups

Step 4: Further User Groups

Fine-tune the authorization concept by defining additional groups according to function (administrators, application-specific users, managers, and so on). These groups can then be assigned appropriate roles with the required RFC authorizations.

Step 5: Monitoring

Step 5: Monitoring

Evaluate the trace data from the security audit log at regular intervals and check whether you need to make any modifications.

More Information

For more information about creating security audit log traces, see the following: