cancel
Showing results for 
Search instead for 
Did you mean: 

CPIC user and user roles

Former Member
0 Kudos

Greetings Everyone,

I have developed a few ETL type scripts with PHP and SAPRFC. It was decided by other powers that the user to be given RFC access would be a single CPIC user. My dilemma now, is how can I make sure that users logged in to the intranet portal only have access to data controlled by their SAP username, which is the same name they login to the portal with, and not the roles/activity groups of the CPIC user id. Any help on this issue would be greatly appreciated!

Thanks,

Christopher

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Actually they must login via RFC as their user as well (that whole license deal) but you can do a user switch after they login as well so the intial connection is one thing but then the named user logs in afterward.

Former Member
0 Kudos

Do you have an example? I follow what you are saying but I'm not sure how to put it together. I should also mention that users sign in through Secude Secure Login and then are granted access to the SAP interface. Originally, I had hoped that I could parse the ticket generated on the client side and then somehow through the RFC connection match them up. I was not successfully able to parse the certificate though. If anyone has any thoughts or advice along that path I would love to hear it. Ultimately, that is how I would like to secure and track the user from SECUDE to the RFC connection.

Former Member
0 Kudos

That i've never tried sorry, as for the switch (dating myself as it's been awhile) but there is a SU Swtich User FM in the system (hope it's still there) which I used for the very same thing a few years back. Do an FM search for "switchuser*"

Former Member
0 Kudos

Searching the internet I come up with "SUSR_INTERNET_USERSWITCH". However, this is not a FM listed in the implementation I am working with. This sounds like it is probably exactly what I am looking for though...

Former Member
0 Kudos

What system rel/ver are you on - that is the one that I remember.

gregorw
Active Contributor
0 Kudos

Hello Christopher,

if the Secude Secure Login provides your User a SAP Logon Ticket Cookie then you can use this Coding to establish the connection using that ticket:

[code]<?php

$ticket = $_COOKIE["MYSAPSSO2"];

$login = array (

"ASHOST"=>"application.server.domain",

"SYSNR"=>"00",

"CLIENT"=>"002",

"MYSAPSSO2"=>$ticket,

);

$rfc = saprfc_open ($login );

if (! $rfc ) { echo "SSO2 RFC connection failed"; exit; }

echo "SSO2 OK<br>";

?>[/code]

Regards

Gregor

Former Member
0 Kudos

Greetings Craig,

I have been stuck on another issue the past few day with one of my ETL scripts. I apologize I have not had time to keep up with this thread, though I would very much like a solution. The SAP system is Rel. 40B. Could you also explain the licensing requirements regarding an internet user a bit more or point me in the direction of where in the EULA of this requirement? I would much appreciate it.

Former Member
0 Kudos

Greetings Gregor,

Thank you for your response! This is exactly the kind of solution I am seeking, however, the only file that is generated when the SECUDE user logins is a file in the client os temp path called `pepperbox.pse`. I am assuming the is a non-coventional placement of the PKIX certificate. I need to whip something up in VBScript that passes this file to the PHP server so that I can see if I can parse it for the information I am looking for. I am hoping that there is a solution to this that can be thought of.

Thank You,

Christopher Caruso

Answers (0)