Skip to Content
avatar image
Former Member

RFC user profile

Hello,

We are on SRM 5 and our RFC user to our backend is SAP_ALL.

But for Sarbane Oaxley Controle we can't keep this SAP_ALL for this user.

Does Someone knows wich profile or authorization we have to give to the RFC user?

Thanks

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • Jan 24, 2007 at 09:35 AM

    Hi,

    Please read OSS note 642202.

    Kind regards,

    Yann

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 24, 2007 at 09:38 AM

    HI,

    Check

    http://help.sap.com/saphelp_erp2005vp/helpdata/en/84/d3eb4190966024e10000000a1550b0/frameset.htm

    Authorisations are: S_RFC, S_RFCACL, S_RFC_ADM

    Regards,

    Marcin Gajewski

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 24, 2007 at 09:57 AM

    Hi,

    I am Putting the same information as per the note as per the note mentioned by Yaan(For those who dont have access for that note)

    <b>Solution</b>

    1. The RFC user should be created as a background user in the back-end system.

    2. If you do not want to use profile SAP_ALL for safety reasons, you can create your own profile with restricted basis authorizations:

    Call Transaction PFCG for the role maintenance and create your own role.

    In the role, go to the 'Authorizations' tab and choose 'Change Authorization Data'.

    Do not select ANY template on the dialog box.

    Choose menu option 'Edit -> Insert authorization(s) -> Full authorization' and confirm the dialog box 'Insert all authorizations' with 'Yes'.

    Choose menu option 'Utilities -> Technical names on'.

    For object class 'Basis Administration' (BC_A), set the following authorization objects to inactive:

    System authorizations (S_ADMI_FCD)

    Authorizations: Check for roles (S_USER_AGR)

    User master maintenance: Authorizations (S_USER_AUT)

    User master maintenance: User groups (S_USER_GRP)

    Authorizations: Deactivate authorization objects globally (S_USER_OBJ)

    User master maintenance: Authorization profile (S_USER_PRO)

    Users: System specific assignment authorization checks (S_USER_SAS )

    User master maintenance: System for central user maintenance (S_USER_SYS )

    Authorizations: Transactions in roles (S_USER_TCD)

    Authorizations: Field values in roles (S_USER_VAL)

    For object class 'Basis Development Environment' (BC_C), set the following authorization objects to inactive:

    ABAP Workbench (S_DEVELOP)

    Authorization for documentation maintenance via SE61 (S_DOKU_AUT)

    Maintenance of glossary and terminology objects (S_TERM_AUT)

    Authorization object for translation environment (S_TRANSLAT)

    Transport Organizer (S_TRANSPRT)

    Generate and save the authorizations, profiles and role.

    3. Assign the new role to your RFC user by using Transaction SU01.

    Cheers...

    Santosh

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 24, 2007 at 12:57 PM

    In fact we created a specific role with the authorization for creating Purchase Order and purchase requisition.

    This is for the RFC user wich is desclared in our backend.

    So we add to his role the authorization object S_RFC but we don't know wich values we have to fill in RFC_NAME.

    We fill the RFC_TYPE with 'FUGR' but we can't make * for RFC_NAME and don't know what to add...

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 26, 2007 at 03:25 PM

    Hi Eileen

    You might be successful with a trace in order to find out, what values you have to enter in S_RFC authorization.

    Our RFC users are all defined with user type 'system' or 'communication' including SAP_ALL profile. Then we have a compensating control - job which runs monthly to check whether user type has been changed to dialog. SOX has no problem with that.

    As far as I understand SOX, it is not them saying you mustn't use *, but they want you to be aware that there is a RFC-user with this critical authorization. SOX might also accept the following: Clearly document for which purpose you use the user and why you have to give *. Further to this you should set-up a compensating control if you are not able to restrict it.

    Hope this helps.

    Regards,

    Corinne

    PS: thanks for points

    Add comment
    10|10000 characters needed characters exceeded