Security for External Tool Integration
Normally when you work with an external tool, you will start it from eCATT. The integration of external tools with eCATT is implemented using COM to start and stop the external tool, and RFC to exchange script data. The COM communication is initiated by eCATT, but the RFC connection is established by the external tool.
The external tool requires a service user in order to communicate with eCATT. To generate this user, you have to run the program ECATT_GENERATE_ET_USER from transaction SE38. The tool then logs back via this user onto the SAP System to exchange data. This user is assigned the role SAP_ECET, which contains two authorizations for object S_RFC (see section S_RFC in Authorization Objects Used in eCATT Authorization).
When the external tool is closed, eCATT destroys the user.
The generated users have no authorization to start any transactions.
If, however, you want to upload scripts from an external tool to eCATT without having started it through eCATT, you must log onto the SAP System yourself. In this case, you need the following authorizations for S_RFC (which are contained in role SAP_ECET):
|
Authorization Object |
Field |
Value |
Description |
|
S_RFC |
RFC_TYPE |
FUGR |
Function group |
|
ACTVT |
16 |
Execute |
|
|
RFC_NAME |
SYST |
||
|
ECATT_EXTERNAL_TOOL |