SAP RFC Authorization



Restricting Authorizations for RFC Calls:

RFC ABAP Type 3 can be managed using transaction SM59.RFC Calls can be of two types: Trusted RFC and Untrusted RFC.

In an untrusted RFC, the source client needs to authenticate itself to the destination server using user credentials. No authentication is required in case of Trusted RFC as the destination server trusts the source client.


Authorization check for Untrusted RFC:

Authorization object checked at target system: S_RFC

Authorization fields for object S_RFC

ACTVTActivity. Currently it takes value 16 (execute)

RFC_TYPEType of RFC object to be secured. This field has value FUGR (function group).

RFC_NAME Name of RFC object to be secured. Since type of RFC object to be secured is function group (FUGR), this field (RFC_NAME) contains the name of function groups to be secured. It is important to note that ‘*‘ (full authorization) is not given otherwise user would be able to execute all the function groups including critical function groups.


Authorization check for Trusted RFC:

Authorization object checked at target system: S_RFC & S_RFCACL

In case of trusted RFC, destination system trusts the source (client) system. Instead of logging into destination system using an RFC user, the user id of active dialog user is used.

So, an additional authorization check is done in the destination system and authorization object S_RFCACL is checked to see if the dialog user has necessary authorization to log into the destination system.


The authorization object S_RFCACL has following authorization fields:

RFC_SYSIDSystem id of the source SAP System (calling system)

RFC_CLIENT Client of the source system (calling system)

RFC_USER User id of the calling user in the source system. Care should be taken so that it doesn’t have ‘*‘ (full authorization).

RFC_EQUSERValues ‘Y’=Yes or ‘N’=No. Indicates whether the RFC user can be called with a user having same id.

RFC_TCODECalling transaction code.

RFC_INFOInfo from the source system.

ACTVTActivity. It takes value “16” (execute).