User Administration and Authentication

The administration of RFC users in SAP systems is performed using the general SAP user administration functions (transaction SU01).

The security requirements for user administration in external systems depend on the tools and concepts used in these systems. This means that the measures you need to take may differ from the points described here.

To guarantee the security of your RFC connections, include the following points in your user administration and authorization setup:

Restricting Maintenance Authorizations for RFC Destinations (Transaction SM59)

A user can use transaction SM59 to log on to a remote RFC destination (if the user is a dialog user in the target system).

The necessary authorization objects are S_ADMI_FCD with the value NADM and S_TCODE with the value SM59.

Storing User Information for System Users Only (Not for Dialog Users)

Be aware of the following:

       1.      Do not store any information for dialog users in RFC destinations. SAP systems query the logon information of the dialog user when the connection is created.

       2.      Make sure that those system users whose logon data is stored have a minimal level of rights in the target systems.

       3.      Keep an overview of the system users whose data is stored. Only store the logon data of known system users (such as TMSADM).

We strongly recommend that you only use system users for RFC communications.

Checking Client Certificates

When you use a client certificate (X.509 certificate) to set up a logon from an external RFC server to an SAP system, make sure that you guarantee that this certificate is checked. Since the client certificate itself is not checked in the SAP system but by an upstream component (such as the Web server), you must take appropriate steps to ensure that these checks take place.

Further Information

For more detailed information about using client certificates, see the security guide under:

·        Client Certificates