Show TOC

Restricting Access to External Server ProgramsLocate this document in the navigation structure

Use

If you use a registered or started RFC server (based on RFC SDK, SAP NetWeaver RFC SDK, JCo, .NET Connector or Business Connector), there is always the risk that a user who is not authorized for the SAP system sends RFC calls to the external RFC program and then executes functions in this program or can read information that is returned.

You can prevent unauthorized access by setting up an authorization check either in the RFC server itself or using the Gateway.

Prerequisites

To use the following procedure, the SAP system must fulfill the following prerequisites:

  • SAP Kernel 7.00

  • Patch Level 119

  • ABAP Support Package 13

Procedure

The external RFC server normally executes its own authorization check when it receives an RFC call. This check can be based on the following mechanisms:

  • Verifying the user name (simplified name)

  • Checking the SSO ticket

  • Validating an SNC name (if SNC is used)

    Note

    Find a description of the required activities in the documentation of the relevant security product.

I fit is not possible to change your external server program in such a way that these functions can be used, the Gateway provides an additional security mechanism using the secinfo file.

To do this, follow the procedure below:

  • In the $DIR_DATA directory, create a file with the name secinfo.

    Note

    If you want to use another directory and/or file name, you can store the new filename in the gw/sec_info profile parameter.

The secinfo file is imported at system start. Each row can contain one or multiples of the following values:

  • SAP user ID of the user to which the following security settings are to be assigned.

  • Program ID that defines the RFC destination to which the user can send RFC calls.

  • Host name (or IP address) from which an RFC call may be sent to the defined RFC destination.

  • Host name (or IP address) to which RFC calls may be sent.

  • Password that the RFC client specifies. The password is only required if there is communication between two external RFC programs.

    Note

    You can use the secinfo file either to explicitly permit or exclude access to external programs.

More Information

You can find detailed information about configuring and implementing the gateway in SAP Note 110612 Information published on SAP site and in the SAP Library:

For a detailed introduction to setting up the secinfo file: