Start of Content Area

Background documentation Authorizations  Locate the document in its SAP Library structure

 

Assigning RFC Authorizations in the SAP System

Take the following into account when granting RFC authorizations to users in SAP systems:

The ABAP authorization object required for using RFC is S_RFC.

The user in the target system needs to have this object in his or her authorization profile to be able to connect to the target system using RFC.

Using Authorization Checks

Make sure that you include authorization checks for functions in the external system that can be called using RFC.

Any authorization checks in an external system must be defined in the logic of the relevant external application. The external application can access the following data, provided by RFC when the user logs on:

      Function name

      Client

      Language

      User

      Transaction code

Note

You can use RfcGetAttributes to query additional system data from the calling program.

Defining Authorizations for External Server Programs

Authorizations for external server programs are controlled by SAP Gateway. You can either start external server programs from SAP Gateway or register them there. The security information required by SAP Gateway to allow starting or registration of external server programs is stored in the secinfo file. This file is located in the path specified in profile parameter gw/sec_info . The default path is /usr/sap/<SID>/<Instanz>/data/secinfo .

Note

If this file does not exist, there are no restrictions on starting or registering external server programs. We therefore recommend that you use and maintain this file.

To define the authorizations for starting or registering external programs, modify the secinfo file by entering the information as described below:

      Authorizations for Starting External Server Programs:

Enter the following line to allow a particular SAP system user <SAP user> to start a particular external server program <external program> on a particular computer <server>:

USER=<SAP user>, [PWD=<CPIC password>,] [USER-HOST=<client>,] HOST=<server>, TP=<external program>;

Parameter <client> is an optional parameter used to specify the client from which the user must log on to SAP gateway in order to start the external server program.

Parameter <CPIC_pwd> is an optional parameter for CPI-C calls only. You can use this to specify a password for the connection. (To set passwords in your own CPI-C developments, use function module CMSCSP).

      Authorizations for Registering External Programs in SAP Gateway:

Enter the following line to allow a particular server program on the server host <server_host> to register itself on SAP gateway under the program ID <program_ID>:

USER=*, HOST=<server>, TP=<program ID>;

You must always specify USER=*, even though this parameter is no longer used.

You use this method to specify which server programs can register themselves in an SAP Gateway.

      If you want to allow external operating system commands or the execution of external programs in batch job steps, include an entry for program sapxpg in the secinfo files for all instance gateways.

Note

Also see SAP Note 618516.

Further Information

For further information about RFC network security when using external servers, see:

      Network Security and Communication

You can find detailed information about configuring and implementing the gateway in SAP Note 110612 and in the SAP Library:

        SAP Gateway

For information about setting up authorization object S_RFC, see:

      Authorization Object S_RFC

 

 

End of Content Area