Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

External RFC logon not possible when auth/rfc_authority_check is set to 9

Former Member
0 Kudos

Hello,

we have to logon via RFC to an ECC6 system where auth/rfc_authority_check is set to "9" but SAP gives 'RFCAPI_RFC_SYS_EXCEPTION:RFC_ERROR_SYSTEM_FAILURE' error. If this parameter is set to "1" then logon is ok. I checked Saphelp and Sapnotes but the documentation for this parameter is a little bit unclear. I tried to change authorizations but without success. Does anyone have experience with this topic?

Many thanks in advance for your help!

Tamá

5 REPLIES 5

Former Member
0 Kudos

This is probably caused by load balancing of your external RFC connections.

If you want to use the "9" setting, public functions in function group SRFC will be required for authorization by the user -> and therefore will have to authenticate as well before your RFC scenario is calling it's function module.

Is it an option for you to use a dedicated application server for the RFC scenario, and then point your connection data directly to the app server alias (network host name)?

Either way, you will need to authorize the user for function group SRFC - so perhaps it is just that which is the problem?

Cheers,

Julius

0 Kudos

Hello Julius,

thanks for your answer and sorry for the long delay.

We have only one instance so I think load balancing cannot be a problem.

I'd to set authorizations for SRFC but it didn't help. I try to include it here:

Manually Authorization Check for RFC Access

Activity Execute

Name of RFC to be protected *

Type of RFC object to be prote Function group

And another version:

Manually Authorization Check for RFC Access

Activity Execute

+Name of RFC to be protected RFCPING, RFC_SYSTEM_INFO, SYSTEM_RESET_RFC_SERVER

Type of RFC object to be prote Function group

The shortdump created when I try to logon is confusing, because it says that password is incorrect but this is not true. And it says that RFC is sent with invalid user "SAPCPIC".

I do not really familiar with the RFC authorization concept maybe this caused the problem.

Many thanks in advance if you can help me!

Regards

Tamá

0 Kudos

> Manually Authorization Check for RFC Access

>

> Activity Execute

> Name of RFC to be protected *

> Type of RFC object to be prote Function group Try change this one to * as a test

> And another version:

>

> Manually Authorization Check for RFC Access

>

> Activity Execute

> +Name of RFC to be protected RFCPING, RFC_SYSTEM_INFO, SYSTEM_RESET_RFC_SERVER

> Type of RFC object to be prote Function group Will not work. The above are function modules not function groups

> The shortdump created when I try to logon is confusing, because it says that password is incorrect but this is not true. And it says that RFC is sent with invalid user "SAPCPIC".

Which function are you calling and which client server (SDK?) are you using?

Check the lock count (USR02-LOCNT) for your user (and SAPCPIC) and whether the user password is locked yet (USR02-UFLAG = 128)

Cheers,

Julius

0 Kudos

Hello Julius,

I checked the SAPCPIC user and there are a few things I can't understand...

The SAPCPIC user was not existing in the system but after I created it it was locked after the 3rd failed attempt. The strange thing is that on the other systems where auth/rfc_authority_check is not 9 this user is not needed and it was not needed when for testing we changed the parameter to 1 on the problematic system (with this change logon was ok).

Authorizations are now set to:

Manually Cross-application Authorization Objects

Manually Authorization Check for RFC Access

Manually Authorization Check for RFC Access

Activity Execute

Name of RFC to be protected SRFC

Type of RFC object to be prote All values

The program tries to call functions like RFC_SYSTEM_INFO - this is the first one.

Best regards

Tamá

0 Kudos

SAPCPIC has a hardcoded password in a few ABAP programs and is excempted from some special authorization checks which still apply to other users...

When you set this parameter to 9 any user (including SAPCPIC) will need to authenticate first when calling "public" functions (such as RFC_SYSTEM_INFO) and will sharpen the authority-checks on object S_RFC when the called function module calls another one outside of it's own function group using STARTING NEW TASK or via INTERNAL DESTINATIONs (most notably 'NONE').

If there is no loss of functionality from SAPCPIC not existing or being locked by this setting, then you can ignore it or delete SAPCPIC as per SAP note 29276.

You can also consider disabling the CPIC calls completely: param login/disable_cpic = 1.

Cheers,

Julius