Solved: S_RFC is being checked while displaying a role

former_member607074 · ‎01-21-2015

Hello Experts,

There is an issue in our R/3 system, when we clicking a role in a role tab via SU01 T-code. The role is displaying in new session as usual.

But as per the authorization perspective there is an additional authorization check is happening in the system.

Apart from S_TCODE= SU01D and PFCG, and authorization object= S_USER_AGR there is an addtional authorization checks happening ie S_RFC

with below values ::

RFC_TYPE=FUNC;RFC_NAME=PRGN_SHOW_EDIT_AGR;ACTVT=16;type=RF;name=PRGN_SHOW_EDIT_AGR;

Can anyone help me on this,why this additional checks happening??

former_member607074 · ‎01-22-2015

Hi Przemek,

Thanks for your reply, I have checked the parameter in Dev and QA. And both are having different values.

In Dev the value maintained for the parameter,

auth/rfc_authority_check=9

Where as , In QA the values are:

auth/rfc_authority_check=1

Can you let me know what is refers?

regards,

Abhinav

martin_voros · ‎01-21-2015

Hi,

it's actually doing what it should be. It calls FM PRGN_SHOW_EDIT_AGR with addition STARTING NEW TASK which causes to open a new window and display a role there. This is actually RFC call hence the check.I am just wondering if this was always happening or SAP just tightened security.

Cheers

former_member607074 · ‎01-21-2015

Hello Martin,

Thanks for the reply, then why the authorization is not checking in the same SAP System in Quality environment where the S_RFC is not checking while doing the same thing.

Please find the below Authorization trace:

S_TCODE RC=0 tcode=PFCG;TCD=PFCG;type=TR;name=SU01;

S_USER_AGR RC=0 tcode=PFCG;ACTVT= ;ACT_GROUP= ;type=TR;name=SU01;

S_USER_AGR RC=0 ACT_GROUP=S:ALLPRD:DXT1:IT_CUST_DISPLAY;ACTVT=03;type=TR;name=SU01;

S_TCODE RC=0 tcode=PFCG;TCD=PFCG;type=TR;name=PFCG;

S_USER_AGR RC=0 tcode=PFCG;ACTVT= ;ACT_GROUP= ;type=TR;name=PFCG;

S_USER_AGR RC=0 ACT_GROUP=S:ALLPRD:DXT1:IT_CUST_DISPLAY;ACTVT=03;type=RF;name=PRGN_SHOW_EDIT_AGR;

PLOG RC=0 PPFCODE=DISP;PLVAR=01;OTYPE=AG;INFOTYP=1001;SUBTYP=B007;ISTAT=1;type=RF;name=PRGN_S

regards,

Abhinav

Private_Member_69416 · ‎01-21-2015

Hi

Don't you have more than one application server for your production?

Regards

Przemek

former_member607074 · ‎01-21-2015

Hi Przemek,

This issue is happening in Development , where we have only one application server.

Regards,

Abhinav

Colleen · ‎01-21-2015

Hi Abhinav

Martin has already told you it's working correctly

If this is a "new" issue for you then you need to check:

was there a role authorisation change to the impacted user?
was there a role assignment?
are you on a really old system and applied support packs recently which resulted in code change?
did it turn out it's never worked but you never realised?

Regardless, you need to add the S_RFC access

Regards

Colleen

former_member607074 · ‎01-21-2015

Hi Colleen,

My question is then why is inconsistency in Authorization check in same landscape where in Development it is checking S_RFC and in Quality it is not checking while doing the same task where User is able to do the same task without access of S_RFC.

Appreciate if you can explain.

Regards,

Abhinav

Private_Member_69416 · ‎01-22-2015

Hi

The question is good.

Compare parameter auth/rfc_authority_check

Regards

Przemek

former_member607074 · ‎01-22-2015

Hi Przemek,

Thanks for your reply, I have checked the parameter in Dev and QA. And both are having different values.

In Dev the value maintained for the parameter,

auth/rfc_authority_check=9

Where as , In QA the values are:

auth/rfc_authority_check=1

Can you let me know what is refers?

regards,

Abhinav

Private_Member_69416 · ‎01-22-2015

(default) 1 = Authorization check is active (no check for same user) (no check for same user context and SRFC FUGR)

9 = Authorization check required for all function modules

former_member607074 · ‎01-22-2015

Thansk alot Przemek,now got the root cause for the issue.

Have a nice day !