To use RFC to execute functions in remote systems, you require two basic types of authorizations:
· Authorization for using RFC destinations
· Authorization for calling function modules within a specific function group in an RFC destination (target system)
You can use the authorization object S_RFC to grant these authorizations.
You can also use the authorization object S_RFC_ADM to control rights for the administration of RFC destinations (transaction SM59).
Note the following points:
Make sure that you include authorization checks in your function modules if you want to call these modules using RFC.
Take the following into account when you assign RFC authorizations to users in SAP systems:
· The ABAP authorization object required for using RFC is S_RFC.
· The RFC function modules are split into specific groups. When you assign the authorization profile, specify the function groups that the user may access.
Assign these groups to a restricted group of users only.
· If you want to control access to the administration of the RFC destinations, you require the authorization object S_RFC_ADM. You can use this object to restrict authorizations for editing certain destinations, for example.
Take care when you assign the authorization values for S_RFCACL; otherwise, individual users might be misused as anonymous users to perform actions in the target system. The object S_RFCACL is not included in the authorization profile SAP_ALL; if you require this object, assign it manually.
· You can use the authorization object S_TABU_DIS (authorization group SC) to read RFC destinations from the table RFCDES.
Take care when assigning this authorization as well, to avoid, for example, RFC destinations from being copied from production systems to test systems. Enhanced authorizations could then be used to access other systems remotely.
· The authorization object S_ICF was designed for the assignment of authorizations for accessing ICF services. However, you can also use this object to control access to RFC destinations by client.