To use RFC to execute functions in remote systems, you require two basic types of authorizations:
Authorization for using RFC destinations
Authorization for calling function modules within a specific function group in an RFC destination (target system)
You can use the authorization object S_RFC to grant these authorizations.
You can also use the authorization object S_RFC_ADM to control rights for the administration of RFC destinations (transaction SM59).
Note the following points:
Using Authorization Checks
Make sure that you include authorization checks in your function modules if you want to call these modules using RFC.
Assigning RFC Authorizations
Take the following into account when you grant RFC authorizations to users in SAP systems:
The ABAP authorization object required for using RFC is S_RFC.
The user in the target system must have this object in his or her authorization profile to be able to use RFC to connect to the target system.
The RFC function modules are split into specific groups. When you grant the authorization profile, specify the function groups that the user may access.
Assign these groups to a restricted group of users only.
If you want to control access to the administration of the RFC destinations, you require the authorization object S_RFC_ADM. You can use this object to restrict authorizations for editing certain destinations, for example.
Take care when you assign the authorization values for S_RFCACL; otherwise, individual users might be misused as anonymous users to perform actions in the target system. The object S_RFCACL is not included in the authorization profile SAP_ALL; if you require this object, assign it manually.
You can use the authorization object S_TABU_DIS (authorization group SC) to read RFC destinations from the table RFCDES.
Take care when assigning this authorization as well, to avoid, for example, RFC destinations from being copied from production systems to test systems. Enhanced authorizations could then be used to access other systems remotely.
The authorization object S_ICF was designed for the assignment of authorizations for accessing ICF services. However, you can also use this object to control access to RFC destinations by client.