01-21-2015 9:10 AM
Hello Experts,
There is an issue in our R/3 system, when we clicking a role in a role tab via SU01 T-code. The role is displaying in new session as usual.
But as per the authorization perspective there is an additional authorization check is happening in the system.
Apart from S_TCODE= SU01D and PFCG, and authorization object= S_USER_AGR there is an addtional authorization checks happening ie S_RFC
with below values ::
RFC_TYPE=FUNC;RFC_NAME=PRGN_SHOW_EDIT_AGR;ACTVT=16;type=RF;name=PRGN_SHOW_EDIT_AGR;
Can anyone help me on this,why this additional checks happening??
01-22-2015 12:39 PM
Hi Przemek,
Thanks for your reply, I have checked the parameter in Dev and QA. And both are having different values.
In Dev the value maintained for the parameter,
auth/rfc_authority_check=9
Where as , In QA the values are:
auth/rfc_authority_check=1
Can you let me know what is refers?
regards,
Abhinav
01-21-2015 9:46 AM
Hi,
it's actually doing what it should be. It calls FM PRGN_SHOW_EDIT_AGR with addition STARTING NEW TASK which causes to open a new window and display a role there. This is actually RFC call hence the check.I am just wondering if this was always happening or SAP just tightened security.
Cheers
01-21-2015 10:08 AM
Hello Martin,
Thanks for the reply, then why the authorization is not checking in the same SAP System in Quality environment where the S_RFC is not checking while doing the same thing.
Please find the below Authorization trace:
S_TCODE RC=0 tcode=PFCG;TCD=PFCG;type=TR;name=SU01;
S_USER_AGR RC=0 tcode=PFCG;ACTVT= ;ACT_GROUP= ;type=TR;name=SU01;
S_USER_AGR RC=0 ACT_GROUP=S:ALLPRD:DXT1:IT_CUST_DISPLAY;ACTVT=03;type=TR;name=SU01;
S_TCODE RC=0 tcode=PFCG;TCD=PFCG;type=TR;name=PFCG;
S_USER_AGR RC=0 tcode=PFCG;ACTVT= ;ACT_GROUP= ;type=TR;name=PFCG;
S_USER_AGR RC=0 ACT_GROUP=S:ALLPRD:DXT1:IT_CUST_DISPLAY;ACTVT=03;type=RF;name=PRGN_SHOW_EDIT_AGR;
S_USER_AGR RC=0 ACT_GROUP=S:ALLPRD:DXT1:IT_CUST_DISPLAY;ACTVT=03;type=RF;name=PRGN_SHOW_EDIT_AGR;
PLOG RC=0 PPFCODE=DISP;PLVAR=01;OTYPE=AG;INFOTYP=1001;SUBTYP=B007;ISTAT=1;type=RF;name=PRGN_S
regards,
Abhinav
01-21-2015 10:11 AM
Hi
Don't you have more than one application server for your production?
Regards
Przemek
01-21-2015 10:26 AM
Hi Przemek,
This issue is happening in Development , where we have only one application server.
Regards,
Abhinav
01-21-2015 10:33 AM
Hi Abhinav
Martin has already told you it's working correctly
If this is a "new" issue for you then you need to check:
Regardless, you need to add the S_RFC access
Regards
Colleen
01-21-2015 12:01 PM
Hi Colleen,
My question is then why is inconsistency in Authorization check in same landscape where in Development it is checking S_RFC and in Quality it is not checking while doing the same task where User is able to do the same task without access of S_RFC.
Appreciate if you can explain.
Regards,
Abhinav
01-22-2015 12:13 PM
Hi
The question is good.
Compare parameter auth/rfc_authority_check
Regards
Przemek
01-22-2015 12:39 PM
Hi Przemek,
Thanks for your reply, I have checked the parameter in Dev and QA. And both are having different values.
In Dev the value maintained for the parameter,
auth/rfc_authority_check=9
Where as , In QA the values are:
auth/rfc_authority_check=1
Can you let me know what is refers?
regards,
Abhinav
01-22-2015 12:44 PM
(default) 1 = Authorization check is active (no check for same user) (no check for same user context and SRFC FUGR)
9 = Authorization check required for all function modules
01-22-2015 12:47 PM
Thansk alot Przemek,now got the root cause for the issue.
Have a nice day !