Before you assign authorizations to RFC users, design a concept that reduces the amount of authorizations you need to assign to a minimum.
To create the concept, you must have the following information:
· Source system (RFC client); client
· Target systems (RFC servers); client; RFC user
· Required and existing authorizations (RFC and application)
· Data and functions that operate through this connection
· User responsible for the security of this connection
· Links to audit reports
We recommend the following procedure when you create your authorization concept:
Step 1: Analyze and document the communication relationships within the system landscape.
Step 2: Trace the authorizations used by each user.
Step 3: Create an authorization concept for two user groups: service users and regular users.
Step 4: Fine-tune the concept for further user groups.
Step 5: Monitor the assigned authorizations at regular intervals.
Step 1: Checking the RFC Destinations and Logon Data
To get an overview of the logon data for your RFC destinations, proceed as follows:
Step 2: Multilevel Implementation of an Authorization Concept for S_RFC
Use the following procedure to restrict the set of potential RFC functions to the function groups that you actually use:
Step 3: Assigning Authorizations to User Groups
For each user group, define roles that contain the appropriate RFC authorizations.
Step 4: Further User Groups
Fine-tune the authorization concept by defining additional groups according to function (administrators, application-specific users, managers, and so on). These groups can then be assigned appropriate roles with the required RFC authorizations.
Step 5: Monitoring
Evaluate the trace data from the security audit log at regular intervals and check whether you need to make any modifications.
For more information about creating security audit log traces, see the following: