For communications initiated by external CPIC or RFC programs that are to be protected with SNC, the system also validates the combination of the user ID in the SAP system and the SNC name supplied by the external program.
You can also use transaction SU01 to assign SNC names to RFC or CPIC users. Note, however, with transaction SU01, you can only assign a single SNC name to a user and there may be cases where you want to assign additional SNC names to RFC or CPIC users. For these cases, you can maintain additional SNC names in the extended user ACL (table USRACLEXT).
See Maintaining SNC Information for Dialog Users for information on using transaction SU01 to maintain users' SNC information. In this topic, we describe how to maintain the SNC information by directly entering the information in table USRACLEXT.
Although it is possible, we do not recommend entering additional SNC names for dialog users in USRACLEXT.
From the table maintenance for table USRACLEXT (for example, using transaction SM30):
The Change View for the user ACL appears.
You can use the asterisk symbol (*) as a wildcard for both the SAP system user name as well as for the SNC name. Note the following:
An informational message appears if either of these fields contain the wildcard value.
The table below shows sample entries for the extended user ACL.
User Name | Seq.number | SNC Name |
---|---|---|
EXT-CPIC |
000 |
p:CN=MILLER, OU=TEST01, O=myCompany, C=US |
EXT-CPIC |
001 |
p:CN=TESTUSER, OU=TEST01, O=myCompany, C=US |
EXT-RFC |
000 |
* |
Example 1: CPIC User
In this example, a CPIC program is used to communicate between two SAP systems. One possible scenario is to use the initiating SAP system as the SNC communication partner and define an entry for it in the system ACL (table SNCSYSACL). However, an entry in SNCSYSACL establishes complete trust for the system.
Instead of using SNCSYSACL, you can use the USRACLEXT table to allow the communication to run under specific accounts only. In the table above, the CPIC user EXT-CPIC is used for communicating between the two SAP systems; however, only the users with the corresponding SNC names for MILLER and TESTUSER are allowed to connect as EXT-CPIC.
Example 2: RFC User
The last table entry above allows the user EXT-RFC to connect regardless of the SNC name provided with the connection. In this case, the user's password must also be provided at connection time.