Show TOC

Maintaining Trust Relationships between SAP SystemsLocate this document in the navigation structure


SAP systems can build trust relationships to one another in order to minimize the requirement for authentication when logging on to a remote system:

If a calling SAP system is known to the called system as a calling system, no password is required during the logon.

The calling SAP system must be registered in the called system as a calling system. The called system is known as the trusting or called system.

Trust relationships between SAP systems offer the following benefits:

  • Single Sign-On is possible beyond system boundaries.

  • No passwords are transmitted in the network.

  • Timeout mechanisms for the logon data protect against illegal logon attempts.

  • User-specific logon data is checked in the called system.

The trust relationship is not mutual, meaning that it applies to one direction only. To establish a mutual trust relationship between two partner systems, you must define each of the two as a calling system in its respective partner system.


For extra security, you can use SAP's SNC Interface ( Secure Network Communications) for third-party security systems such as Kerberos and SECUDE.

You can configure multiple SAP systems as mutual trusted systems. Setting up a trust relationship between two systems is normally initiated by the called system (server system). Here, users of the calling system who are allowed to make RFC calls by this type of trust relationship must be identified in the called system (trusted users).

Before a calling system can be defined, a destination must be created for this system in the calling system. The RFC users also need the relevant authorizations in the calling system (authorization object S_RFCACL). You can check the authorizations for the logged on users in the calling system in advance, by using the function module AUTHORITY_CHECK_TRUSTED_SYSTEM.

More Information

You can find detailed information about maintaining trust relationships in: