Skip to Content
0
Former Member
Jul 19, 2007 at 01:24 AM

login/isolate_rfc_system_calls and auth/rfc_authority_check

382 Views

Dear security gurus !

it is now the 5th time or so that I run accross system parameter login/isolate_rfc_system_calls. And I still don't have a good view on what it does. As usual, the interesting parameters are not documented.

I am hoping that it changes the S_RFC authorization check of "internal" RFC calls - i.e. the ones that are only checked against S_RFC when auth/rfc_authority_check is set to 2 or 9. I tried that on a 6.10 system - but did not see any change in the authorization trace.

The reason I am looking for change in the S_RFC checks is that I am not completely happy with the options auth/rfc_authority_check offers. There is no setting that would perform an S_RFC authorization check on all externally called function modules (including function modules in group SRFC), but none for internal calls. A setting 9 (or 2 for that matter) requires customers to assign S_RFC authorizations even for internal calls. So that doesn't seem to be a good setting, because if you do that, the affected users can suddenly call those RFC functions even externally.

If anybody knows what the login/isolate_rfc_system_calls does or how to configure the ABAP system such that all external but no internal RFC calls are checked against S_RFC - please let me know.

In case you don't want to openly contribute, please drop me an e-mail to my e-mail address.

The topic is not exactly urgent, but I am writing down my views on different configuration details and I am hesitating to phrase a final opinion on auth/rfc_authority_check. Your help is greatly appreciated !