Start of Content Area

Background documentation Authorizations  Locate the document in its SAP Library structure

To use RFC to execute functions in remote systems, you need two basic types of authorizations:

      Authorization for using RFC destinations

      Authorization for calling function modules within a specific function group in an RFC destination (target system)

You can use authorization object S_RFC to grant these authorizations.

You can also use authorization object S_RFC_ADM to define permissions for the administration of RFC destinations (transaction SM59).

 

Note the following points:

Using Authorization Checks

Make sure that you include authorization checks in your function modules if you want to call these modules using RFC.

Assigning RFC Authorizations

Take the following into account when granting RFC authorizations to users in SAP systems:

        The ABAP authorization object required for using RFC is S_RFC.

The user in the target system needs to have this object in his or her authorization profile to be able to connect to the target system using RFC.

        The RFC function modules are divided into specific groups. When granting the authorization profile, specify the function groups that the user may access.

Note

Assign these groups to a limited group of users only.

      If you want to define access to the administration of the RFC destinations, you need authorization object S_RFC_ADM. You can use this object to restrict authorizations for editing certain destinations, for example.

      To use trusted system networks, you need authorization object S_RFC_TT (access to transaction SMT1) and S_RFCACL (log on to trusted/trusting systems).

Note

Take care when assigning the authorization values for S_RFCACL; otherwise, individual users might be misused as anonymous users to perform actions in the target system. Object S_RFCACL is not included in authorization profile SAP_ALL. If you need this object, assign it manually.

      You can use authorization object S_TABU_DIS (authorization group SC) to read RFC destinations from table RFCDES.

Note

Take care when assigning this authorization too. This will ensure that you avoid things like RFC destinations from being copied from production systems to test systems. By allowing this, it would be possible to use enhanced authorizations to access other systems remotely.

      Authorization object S_ICF was designed for the assignment of authorizations for accessing ICF services. However, you can also use this object to control client-specific access to RFC destinations.

Further Information

      Creating an Authorization Concept for RFC

      Authorization Object S_RFC

      Authorization Object S_RFC_ADM

      Authorization Object S_RFC_TT

      Authorization Object S_RFCACL

      Authorization Object S_TABU_DIS

      Authorization Object S_ICF

      Authorizations for bgRFC

 

End of Content Area