Start of Content Area

Background documentation RFC Authorization   Locate the document in its SAP Library structure

When a remote call of a function module is made, an automatic authorization check is performed, provided that the profile parameter auth/rfc_authority_check is set to 1. The authorization check uses the authorization object S_RFC to check whether the user defined in the destination has RFC authorization for the function group of the called function module.

 

In addition to the function groups belonging to the application function modules, authorization object S_RFC must also contain any RFC function groups in order to perform technical processes during communication:

 

      For tRFC and qRFC calls between two SAP systems: Function groups ERFC and ARFC

      For all RFC calls in external (non-SAP) systems: function group SYST

 

When a function module is called remotely from within the same system, the automatic authorization check only takes place if the client and user ID are not the same. Across system boundaries, the automatic authorization check is only performed in systems that are not recognized as “trustworthy”. Rating a system as an RFC Trusted/Trusting System is done using transaction SMT1.

The automatic authorization check is made by implicitly calling function module AUTHORITY_CHECK_RFC. If it detects an authorization issue, this function module triggers one of the exceptions defined in its interface, namely USER_DONT_EXIST or RFC_NO_AUTHORITY, thus triggering a runtime error. We recommend that you call the function module AUTHORITY_CHECK_RFC explicitly before a remote call, thus enabling you to handle any exceptions that may arise. If it detects the relevant authorization, the function module does not return an explicit result. Instead, like all function modules that are performed successfully, it sets sy-subrc to 0.

For detailed information on security-relevant aspects of communication using RFC, see:

      RFC/ICF Security Guide

 

End of Content Area