Creating an Authorization Concept for RFC

Use

Before you assign authorizations to RFC users, design a concept that reduces the amount of authorizations you need to assign to a minimum.

Prerequisites

To create the concept, you must have the following information:

·         Application

·         Source system (RFC client); client

·         Target systems (RFC servers); client; RFC user

·         Required and existing authorizations (RFC and application)

·         Data and functions that operate through this connection

·         User responsible for the security of this connection

·         Links to audit reports

Procedure

We recommend the following procedure when you create your authorization concept:

Step 1:       Analyze and document the communication relationships within the system landscape.

Step 2:       Trace the authorizations used by each user.

Step 3:       Create an authorization concept for two user groups: service users and regular users.

Step 4:       Fine-tune the concept for further user groups.

Step 5:       Monitor the assigned authorizations at regular intervals.

Step 1: Checking the RFC Destinations and Logon Data

To get an overview of the logon data for your RFC destinations, proceed as follows:

  1. Execute the report RSRFCCHK. This lists all the RFC destinations that have been created in the system, together with their logon data (user and password). You then have an overview of all users used in RFC destinations.
  2. Use transaction SU01 (user administration) to check the user type of the users in the list.

Step 2: Multilevel Implementation of an Authorization Concept for S_RFC

Use the following procedure to restrict the set of potential RFC functions to the function groups that you actually use:

  1. Activate the security audit log trace (transactions SM19 and SM20) for a lengthy period of time (about a month). This gives you a good idea about which function groups are actually being used by each user.
  2. For each user who has the full authorization for S_RFC, assign only the S_RFC rights recorded in the trace.
  3. Distribute the trace data to regular RFC users and RFC service users. Give each group only the authorizations that it actually needs.

Step 3: Assigning Authorizations to User Groups

For each user group, define roles that contain the appropriate RFC authorizations.

 

Step 4: Further User Groups

Fine-tune the authorization concept by defining additional groups according to function (administrators, application-specific users, managers, and so on). These groups can then be assigned appropriate roles with the required RFC authorizations.

 

Step 5: Monitoring

 

Evaluate the trace data from the security audit log at regular intervals and check whether you need to make any modifications. 

 

Further Information

For more information about creating security audit log traces, see the following:

·        Security Audit Log