Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Restricting RFC User access

Former Member
0 Kudos
1,101

We have some RFC users with SAP_ALL access.

Auditors placed it in high risk .Now we have to trace what access is actually needed for these users and revoke SAP_ALL

I tries two options

1.used ST03G to find the tcodes being used by RFC users.However, this is not of much help

2.Use the Security Audit logs(Cumbersome to collect 2-3 months data)

Its there any better and easier method to find what access is need by an RFC?

If anyone done this excercise please help me out!

Regards

Deepa

6 REPLIES 6

Former Member
0 Kudos
291

easy!!! go to service.sap.com/notes and search for notes with keywords 'RFC' 'authorization'. you will find quite a number of notes giving hints as to which authorizations RFC-users should have (depending on the application they are designed for).

Former Member
0 Kudos
291

Hi Deepa,

You can find security guides for all applications under

http://service.sap.com/security

Kindly have a look into your application security guide that can help you.

regards

Anand.M

fredrik_borlie
Contributor
0 Kudos
291

Hi Deepa.

I would have attacked it with a reverse trace.

First of all to remove all authorisations from the user.

Then add object S_RFC to a role and assign it to the user.

Activity 16

RFC_TYPE FUGR and

RFC_NAME = ' ' (Make sure RFC_NAME is not * otherwise you might open new vulnerabilites)

Now you can start the trace and execute the job that is to be done, now only add what is neccessary for the program to run.

In many cases it is just an additional RFC_NAME to be added.

Regards

Fredrik

0 Kudos
291

There are some good SAP notes on this to start with :

Note 460089 - Minimum authorization profile for external RFC programs

Cheers !!

Zaheer

Former Member
0 Kudos
291

I would ustilize the ST01 trace for authorizations as the RFC user executes in the system and look at all the details for the S_RFC auth object. It would show every detail that the S_RFC object and corresponding fields need.

Former Member
0 Kudos
291

Thanks a ton to eveery one for the response