Dear security gurus !
it is now the 5th time or so that I run accross system parameter login/isolate_rfc_system_calls. And I still don't have a good view on what it does. As usual, the interesting parameters are not documented.
I am hoping that it changes the S_RFC authorization check of "internal" RFC calls - i.e. the ones that are only checked against S_RFC when auth/rfc_authority_check is set to 2 or 9. I tried that on a 6.10 system - but did not see any change in the authorization trace.
The reason I am looking for change in the S_RFC checks is that I am not completely happy with the options auth/rfc_authority_check offers. There is no setting that would perform an S_RFC authorization check on all externally called function modules (including function modules in group SRFC), but none for internal calls. A setting 9 (or 2 for that matter) requires customers to assign S_RFC authorizations even for internal calls. So that doesn't seem to be a good setting, because if you do that, the affected users can suddenly call those RFC functions even externally.
If anybody knows what the login/isolate_rfc_system_calls does or how to configure the ABAP system such that all external but no internal RFC calls are checked against S_RFC - please let me know.
In case you don't want to openly contribute, please drop me an e-mail to my e-mail address.
The topic is not exactly urgent, but I am writing down my views on different configuration details and I am hesitating to phrase a final opinion on auth/rfc_authority_check. Your help is greatly appreciated !