The authorization check uses authorization object S_RFC to check whether the user defined in the destination has RFC authorization for the function module to be called. The authorization check is performed at the function group level. If the user is assigned to a certain function group, he or she can call all function modules that belong to this function group.
In addition to the function groups belonging to the application function modules, authorization object S_RFC must also contain any RFC function groups in order to perform technical processes during communication:
For tRFC and qRFC calls between two SAP systems: Function groups ERFC and ARFC
additionally for all RFC calls in external (non-SAP) systems: function group SYST.
You can find an overview of other authorization objects in the RFC environment in the RFC Security Guide, under: