Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Information regarding object S_RFC fine tune usage

angela_farrell
Explorer

‎06-27-2012 9:04 PM

0 Kudos

A question regarding the object S_RFC - trying to allow access to all RFCs except <ABCD> (basically denying access to <ABCD>).

Any suggestions on how this may be done?  I understand that authorization are designed to "allow" and not "deny", but this is a very specific requirement.

TIA

4 REPLIES 4

Former Member

‎06-27-2012 9:39 PM

0 Kudos

if you take a closer look you will find about 300 thousand special requirements..  🙂

People often panic a bit around SUTL, SDTX and the user BAPIs as they are the "low brainers". SU_USER is not a good idea to blacklist as it is needed for existence checks and several other integration scenarios.

If you want to try it on your own, there is a usefull "best practice RFC guide" in the SCN wiki.

SAP also offers a solution via SAP Note 1682316, whereby SAP will convert the existing authorizations of users with saved login data to menu based roles.

If your end users are using client based enduser computing tools which make RFC calls to dark functions with no controls in them (such as SDTX and SUTL) then your options are more limited (certainly as far as org.levels are concerned). TO some extent you can monitor it via SM20N (if active).

Can you explain what the exact problem is? Don't worry... it will just be an example, and there are many if you do not plan integration well and authorize the users correctly.

Cheers,

Julius

angela_farrell
Explorer
In response to Former Member

‎06-27-2012 10:11 PM

0 Kudos

Julius,

Thanks for the reply, I will look further into the SAP note and the "best practices" guide to tailor for what I need.

But to explain what I require:  I have a communications user that I am attempting to restrict usage of specific Sales & Distribution BAPIs (able to read all the sales/distribution information, but not modify, create, delete...etc) without restricting access to any other BAPI available in SAP.  Essentially "RFC_NAME <> ABCD"

I appreciate the advice.

Kindly

Angela

Former Member
In response to Former Member

‎06-28-2012 8:39 AM

0 Kudos

What you could do as of 7.10 is use RFC_TYPE = 'FUNC'. That is the function module name. You can then range from BAPI_A* to BAPI_BLA_BLA* and BAPI_BLZ_BLZ* to BAPI_Z*. The value range you can get from TFDIR.

But you will still have lots of other BAPIs in there and need to be careful because the field is truncated (some FM's have names longer than 16 characters).

Cheers,

Julius

koehntopp
Product and Topic Expert
Product and Topic Expert
In response to Former Member

‎06-28-2012 1:55 PM

0 Kudos

Hi Angela,

maybe I don't fully understand your requirement, but wouldn't it be good enough to restrict the user's SD authorizations to "read only"...?

Frank.