User Administration (SAP Library - RFC/ICF Security Guide)

User Administration

The administration of RFC users in SAP systems is performed using the general SAP user administration functions (transaction SU01).

User Types

In principle, RFC users can have any user type (system user, dialog user, individual user, composite user).

Note

For security reasons, use only system users for RFC communications, if possible, to avoid accessing dialog processes. However, depending on the application, you may need to set up dialog type RFC users.

Authentication for RFC Users

Users can be authenticated in various ways:

· Check user and password

· Check with the Trusted System procedure

· Check with SSO (Single Sign-On)

· Check with a certificate (X.509)

To guarantee the security of your RFC connections, include the following points in your user administration setup:

Restricting Maintenance Authorizations for RFC Destinations (Transaction SM59)

A user can use transaction SM59 and Remote Logon to log on to a remote RFC destination (if the user is a dialog user in the target system).

The required authorization objects are S_ADMI_FCD with the value NADM and S_TCODE with the value SM59.

Assigning Authorizations for Using Individual Destinations

Under Logon/Security in transaction SM59, specify the security options for each RFC destination. To define the authorization of a user for accessing a specific destination, you can enter a check value in the Authorization for Destination field. Also read the F1 help for this field.

Storing User Information for System Users Only (Not for Dialog Users)

Note

If a user’s RFC connection request is authenticated with the standard password mechanism, then the user must log on to the remote target system with a valid user ID and password. This information must either be stored in the RFC destination (for system users), or the user ID and password is queried when the connection is created (runtime query).

For this reason, note the following points

Do not store any information for dialog users in RFC destinations. SAP systems query the logon information of the dialog user when the connection is created.
Make sure that those system users whose logon data is stored have a minimal level of rights in the target systems.
Keep an overview of the system users whose data is stored. Only store the logon data of known system users (such as TMSADM).