-
Products and Technology
By Category
-
Groups
Activity Groups
Industry Groups
Influence and Feedback Groups
Interest Groups
Location Groups
Customer Only Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
Products
- Autonomous Enterprise
- Artificial intelligence
- Data and analytics
- Autonomous Suite
- Technology platform
- Transformation management
- Midsize business solutions
- Financial management
- Spend management
- Supply chain management
- Human capital management
- Customer experience
- Enterprise resource planning
- Business network
- Sustainability management
- SAP Store
- Try SAP
- View all industries
- Partners
- Services
Learning and Support
-
- Products and Technology
- Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
- Explore SAP
-
Products
- Products
- Autonomous Enterprise
- Artificial intelligence
- Data and analytics
- Autonomous Suite
- Technology platform
- Transformation management
- Midsize business solutions
- Financial management
- Spend management
- Supply chain management
- Human capital management
- Customer experience
- Enterprise resource planning
- Business network
- Sustainability management
- SAP Store
- Try SAP
- View all industries
- Partners
- Services
- Learning and Support
- About
- SAP Community
- Groups
- Interest Groups
- Application Development and Automation
- Discussions
- S_RFC is being checked while displaying a role
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
S_RFC is being checked while displaying a role
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Jan 21 9:10 AM
- SAP Managed Tags
- Security
Hello Experts,
There is an issue in our R/3 system, when we clicking a role in a role tab via SU01 T-code. The role is displaying in new session as usual.
But as per the authorization perspective there is an additional authorization check is happening in the system.
Apart from S_TCODE= SU01D and PFCG, and authorization object= S_USER_AGR there is an addtional authorization checks happening ie S_RFC
with below values ::
RFC_TYPE=FUNC;RFC_NAME=PRGN_SHOW_EDIT_AGR;ACTVT=16;type=RF;name=PRGN_SHOW_EDIT_AGR;
Can anyone help me on this,why this additional checks happening??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Jan 22 12:39 PM
- SAP Managed Tags
- Security
Hi Przemek,
Thanks for your reply, I have checked the parameter in Dev and QA. And both are having different values.
In Dev the value maintained for the parameter,
auth/rfc_authority_check=9
Where as , In QA the values are:
auth/rfc_authority_check=1
Can you let me know what is refers?
regards,
Abhinav
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Jan 21 9:46 AM
- SAP Managed Tags
- Security
Hi,
it's actually doing what it should be. It calls FM PRGN_SHOW_EDIT_AGR with addition STARTING NEW TASK which causes to open a new window and display a role there. This is actually RFC call hence the check.I am just wondering if this was always happening or SAP just tightened security.
Cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Jan 21 10:08 AM
- SAP Managed Tags
- Security
Hello Martin,
Thanks for the reply, then why the authorization is not checking in the same SAP System in Quality environment where the S_RFC is not checking while doing the same thing.
Please find the below Authorization trace:
S_TCODE RC=0 tcode=PFCG;TCD=PFCG;type=TR;name=SU01;
S_USER_AGR RC=0 tcode=PFCG;ACTVT= ;ACT_GROUP= ;type=TR;name=SU01;
S_USER_AGR RC=0 ACT_GROUP=S:ALLPRD:DXT1:IT_CUST_DISPLAY;ACTVT=03;type=TR;name=SU01;
S_TCODE RC=0 tcode=PFCG;TCD=PFCG;type=TR;name=PFCG;
S_USER_AGR RC=0 tcode=PFCG;ACTVT= ;ACT_GROUP= ;type=TR;name=PFCG;
S_USER_AGR RC=0 ACT_GROUP=S:ALLPRD:DXT1:IT_CUST_DISPLAY;ACTVT=03;type=RF;name=PRGN_SHOW_EDIT_AGR;
S_USER_AGR RC=0 ACT_GROUP=S:ALLPRD:DXT1:IT_CUST_DISPLAY;ACTVT=03;type=RF;name=PRGN_SHOW_EDIT_AGR;
PLOG RC=0 PPFCODE=DISP;PLVAR=01;OTYPE=AG;INFOTYP=1001;SUBTYP=B007;ISTAT=1;type=RF;name=PRGN_S
regards,
Abhinav
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Jan 21 10:11 AM
- SAP Managed Tags
- Security
Hi
Don't you have more than one application server for your production?
Regards
Przemek
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Jan 21 10:26 AM
- SAP Managed Tags
- Security
Hi Przemek,
This issue is happening in Development , where we have only one application server.
Regards,
Abhinav
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Jan 21 10:33 AM
- SAP Managed Tags
- Security
Hi Abhinav
Martin has already told you it's working correctly
If this is a "new" issue for you then you need to check:
- was there a role authorisation change to the impacted user?
- was there a role assignment?
- are you on a really old system and applied support packs recently which resulted in code change?
- did it turn out it's never worked but you never realised?
Regardless, you need to add the S_RFC access
Regards
Colleen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Jan 21 12:01 PM
- SAP Managed Tags
- Security
Hi Colleen,
My question is then why is inconsistency in Authorization check in same landscape where in Development it is checking S_RFC and in Quality it is not checking while doing the same task where User is able to do the same task without access of S_RFC.
Appreciate if you can explain.
Regards,
Abhinav
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Jan 22 12:13 PM
- SAP Managed Tags
- Security
Hi
The question is good.
Compare parameter auth/rfc_authority_check
Regards
Przemek
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Jan 22 12:39 PM
- SAP Managed Tags
- Security
Hi Przemek,
Thanks for your reply, I have checked the parameter in Dev and QA. And both are having different values.
In Dev the value maintained for the parameter,
auth/rfc_authority_check=9
Where as , In QA the values are:
auth/rfc_authority_check=1
Can you let me know what is refers?
regards,
Abhinav
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Jan 22 12:44 PM
- SAP Managed Tags
- Security
(default) 1 = Authorization check is active (no check for same user) (no check for same user context and SRFC FUGR)
9 = Authorization check required for all function modules
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎2015 Jan 22 12:47 PM
- SAP Managed Tags
- Security
Thansk alot Przemek,now got the root cause for the issue.
Have a nice day !
Bluesky