In the ICF environment, you have the option of using various authorization objects to restrict access to individual ICF elements. There are three basic categories:
Troubleshooting with the ICF recorder
To use ICF services to call functions in other systems, you require two basic types of authorizations:
Authorization for using ICF or individual services
Authorization for calling application function modules or BSP applications (with the relevant ICF handler) that you want to be executed by a service. (These authorizations are defined by the relevant application in the target system.)
Assigning ICF Authorizations
Take the following into account when you assign ICF authorizations to users in SAP systems:
The ABAP authorization object required for using ICF is S_ICF.
The user in the target system must have this object in his or her authorization profile to be able to use ICF to connect to the target system.
The authorization for creating and maintaining virtual hosts and services is granted using the authorization object S_ICF_ADM. Here you can define, for example, whether you want to allow access to individual services or aliases, or allow access to top-level service nodes.
You can use the authorization S_ICFREC to control access to the ICF recorder.
You can use the authorization object S_ADMIN_FCD to restrict the use of administration functions in transaction SICF.
Granting Authorizations for Using Individual Services
Use transaction SICF to maintain the security options under Service Data for each ICF service (or a service node or virtual host).
To define the authorization of a user for accessing a specific service yourself, you can enter a check value in the SAP Authorization field under Service Data. Also read the F1 help for this field.
The security options that you use in transaction SICF are 'passed on' to other services. For example, if you make settings for a top-level service node, these settings also apply to all services under this node. You can also make settings for a complete virtual host.
The settings are not passed on if specific values have been entered for a lower level node or service. These settings overwrite any values from the top-level node or service.