06-27-2012 9:04 PM
A question regarding the object S_RFC - trying to allow access to all RFCs except <ABCD> (basically denying access to <ABCD>).
Any suggestions on how this may be done? I understand that authorization are designed to "allow" and not "deny", but this is a very specific requirement.
TIA
06-27-2012 9:39 PM
if you take a closer look you will find about 300 thousand special requirements.. 🙂
People often panic a bit around SUTL, SDTX and the user BAPIs as they are the "low brainers". SU_USER is not a good idea to blacklist as it is needed for existence checks and several other integration scenarios.
If you want to try it on your own, there is a usefull "best practice RFC guide" in the SCN wiki.
SAP also offers a solution via SAP Note 1682316, whereby SAP will convert the existing authorizations of users with saved login data to menu based roles.
If your end users are using client based enduser computing tools which make RFC calls to dark functions with no controls in them (such as SDTX and SUTL) then your options are more limited (certainly as far as org.levels are concerned). TO some extent you can monitor it via SM20N (if active).
Can you explain what the exact problem is? Don't worry... it will just be an example, and there are many if you do not plan integration well and authorize the users correctly.
Cheers,
Julius
06-27-2012 10:11 PM
Julius,
Thanks for the reply, I will look further into the SAP note and the "best practices" guide to tailor for what I need.
But to explain what I require: I have a communications user that I am attempting to restrict usage of specific Sales & Distribution BAPIs (able to read all the sales/distribution information, but not modify, create, delete...etc) without restricting access to any other BAPI available in SAP. Essentially "RFC_NAME <> ABCD"
I appreciate the advice.
Kindly
Angela
06-28-2012 8:39 AM
What you could do as of 7.10 is use RFC_TYPE = 'FUNC'. That is the function module name. You can then range from BAPI_A* to BAPI_BLA_BLA* and BAPI_BLZ_BLZ* to BAPI_Z*. The value range you can get from TFDIR.
But you will still have lots of other BAPIs in there and need to be careful because the field is truncated (some FM's have names longer than 16 characters).
Cheers,
Julius
06-28-2012 1:55 PM
Hi Angela,
maybe I don't fully understand your requirement, but wouldn't it be good enough to restrict the user's SD authorizations to "read only"...?
Frank.