Assigning RFC Authorizations in the SAP System

Take the following into account when you assign RFC authorizations to users in SAP systems:

The ABAP authorization object required for using RFC is S_RFC.

The user in the target system must have this object in his or her authorization profile to be able to use RFC to connect to the target system.

Using Authorization Checks

Make sure that you include authorization checks for the functions of the external system, if these functions can be called using RFC.

Any authorization checks in an external system must be defined in the logic of the relevant external application. The external application can access the following data, provided by RFC when the user logs on:

·        Function name

·        Client

·        Language

·        User

·        Transaction code

You can use RfcGetAttributes to query extra system data from the calling program.

Defining Authorizations for External Server Programs

The authorizations of external server programs are controlled by the SAP Gateway. You can start external server programs from the gateway, or you can register these programs in the gateway. The security information that the gateway needs to allow the starting or registration of the external server programs is stored in a file called secinfo. This file is located in the path specified in the profile parameter gw/sec_info. The default is /usr/sap/<SID>/<instance>/data/secinfo.

If this file does not exist, then there are no restrictions on starting or registering external server programs. We recommend that you use this file and keep it up-to-date.

To define the authorizations for starting or registering external programs, modify the secinfo file by entering the information as described below:

·        Authorizations for Starting External Server Programs

Enter the following line to allow a particular SAP system user <SAP user> to start a particular external server program <external program> on a particular computer <server>.

USER=<SAP user>, [PWD=<CPIC password>,] [USER-HOST=<client host>,] HOST=<server>, TP=<external program>;

The parameter <client_host>is an optional parameter used to specify the client from which the user must log on to the gateway to start the external server program.

The parameter <CPIC_pwd> is an optional parameter for CPI-C calls only, where you can specify a password for the connection. (In your own CPI-C developments, you can define passwords with the function module CMSCSP.)

·        Authorizations for Registering External Programs in the SAP Gateway

Enter the following line to allow a particular server program on the server host <server_host> to register itself on the SAP gateway under the program ID <program_ID>:

USER=*, HOST=<server>, TP=<program ID>;

You must always specify USER=*, although this parameter is not further used.

You use this method to specify which server programs can register themselves in an SAP Gateway.

·        To allow operating system commands or the execution of external programs in background job steps, make an entry for the program sapxpg in the secinfo file for all instance gateways.

Also see SAP Note 618516.

Further Information

For further information about RFC network security when using external servers, see the following:

·        Network Security and Communication

For detailed information about configuring and implementing the gateway, see SAP Note 110612 and the SAP Library:

·        SAP Gateway

For information about setting up the authorization object S_RFC, see the following:

·        Authorization Object S_RFC