2009 Jan 28 9:11 AM
We have some RFC users with SAP_ALL access.
Auditors placed it in high risk .Now we have to trace what access is actually needed for these users and revoke SAP_ALL
I tries two options
1.used ST03G to find the tcodes being used by RFC users.However, this is not of much help
2.Use the Security Audit logs(Cumbersome to collect 2-3 months data)
Its there any better and easier method to find what access is need by an RFC?
If anyone done this excercise please help me out!
Regards
Deepa
2009 Jan 28 9:19 AM
easy!!! go to service.sap.com/notes and search for notes with keywords 'RFC' 'authorization'. you will find quite a number of notes giving hints as to which authorizations RFC-users should have (depending on the application they are designed for).
2009 Jan 28 9:21 AM
Hi Deepa,
You can find security guides for all applications under
http://service.sap.com/security
Kindly have a look into your application security guide that can help you.
regards
Anand.M
2009 Feb 02 10:21 AM
Hi Deepa.
I would have attacked it with a reverse trace.
First of all to remove all authorisations from the user.
Then add object S_RFC to a role and assign it to the user.
Activity 16
RFC_TYPE FUGR and
RFC_NAME = ' ' (Make sure RFC_NAME is not * otherwise you might open new vulnerabilites)
Now you can start the trace and execute the job that is to be done, now only add what is neccessary for the program to run.
In many cases it is just an additional RFC_NAME to be added.
Regards
Fredrik
2009 Feb 02 2:25 PM
There are some good SAP notes on this to start with :
Note 460089 - Minimum authorization profile for external RFC programs
Cheers !!
Zaheer
2009 Feb 05 5:19 PM
I would ustilize the ST01 trace for authorizations as the RFC user executes in the system and look at all the details for the S_RFC auth object. It would show every detail that the S_RFC object and corresponding fields need.
2009 Jun 01 5:33 PM