Restricting Authorizations for RFC Calls:
In an untrusted RFC, the source client needs to authenticate itself to the destination server using user credentials. No authentication is required in case of Trusted RFC as the destination server trusts the source client.
Authorization check for Untrusted RFC:
Authorization object checked at target system: S_RFC
Authorization fields for object S_RFC
ACTVT: Activity. Currently it takes value 16 (execute)
RFC_TYPE: Type of RFC object to be secured. This field has value FUGR (function group).
RFC_NAME: Name of RFC object to be secured. Since type of RFC object to be secured is function group (FUGR), this field (RFC_NAME) contains the name of function groups to be secured. It is important to note that ‘*‘ (full authorization) is not given otherwise user would be able to execute all the function groups including critical function groups.
Authorization check for Trusted RFC:
Authorization object checked at target system: S_RFC & S_RFCACL
In case of trusted RFC, destination system trusts the source (client) system. Instead of logging into destination system using an RFC user, the user id of active dialog user is used.
So, an additional authorization check is done in the destination system and authorization object S_RFCACL is checked to see if the dialog user has necessary authorization to log into the destination system.
The authorization object S_RFCACL has following authorization fields:
RFC_SYSID : System id of the source SAP System (calling system)
RFC_CLIENT : Client of the source system (calling system)
RFC_USER : User id of the calling user in the source system. Care should be taken so that it doesn’t have ‘*‘ (full authorization).
RFC_EQUSER : Values ‘Y’=Yes or ‘N’=No. Indicates whether the RFC user can be called with a user having same id.
RFC_TCODE : Calling transaction code.
RFC_INFO : Info from the source system.
ACTVT : Activity. It takes value “16” (execute).