Skip to Content
author's profile photo Former Member
Former Member

S_rfc in a common role

Hello everyone !

i want to merge two roles , one is the common role that every user has and the other one is the Firefighter role for accesing the Firefighter tool .

My question is , how critical is it , if i add the object S_RFC in the common role which is needed for the firefighter. The fields of S_RFC are : actvt :16 , RFC_NAME: syst and RFC_TYPE : FUGR.

Have in mind that the role i want to add the s_rfc is used by every user ,

Best regards,

David

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Dec 15, 2008 at 04:23 PM

    > i want to merge two roles , one is the common role that every user has and the other one is the Firefighter role for accesing the Firefighter tool .

    Then every user in your system will access the Fire Fighter tool?

    > My question is , how critical is it , if i add the object S_RFC in the common role which is needed for the firefighter. The fields of S_RFC are : actvt :16 , RFC_NAME: syst and RFC_TYPE : FUGR.

    It depends. There is a SAP note which describes the minimum S_RFC authority for different scenarios.

    The Fire Fighter tool uses the remote login approach to generate a new session via a temporarily modified RFC connection. It (the FF user account) will need SYST in that case.

    > Have in mind that the role i want to add the s_rfc is used by every user.

    I am sure that your Fire Fighter role has more in it than just this RFC authority. Is that not of greater concern to you?

    Cheers,

    Julius

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      If you are sure that is the only authority required, there is no additional risk from the user logging on via RFC instead of via SAPGUI and do not want any other functions which are not used, then from release 7.10 you can tweak the RFC authority further to restrict it to the function module name and not the function group.

      In that case, use:

      S_RFC rfc_type = 'FUNC' (not FUGR) and in the rfc_name field add 'SYSTEM_REMOTE_LOGIN'.

      The users (as will as the FFIDs) will be able to additionally perform a remote login, but not call other functions from the group remotely. Of course, once logged on, they will be able to call those functions locally, but only within the program context they have access to (such as the coding off the FF transaction). At that point, you need to rely on the security of the coding of the transaction when being used, but that is generally a good thing to achieve (and review) as well.

      See [SAP Note 931251|https://service.sap.com/sap/support/notes/931251] for further infos on distinuishing between the group name and the function name. The value range of the domain of the field will of course also need to be extended so that you do not grant a '*'.

      Hope that helps you further,

      Julius

  • author's profile photo Former Member
    Former Member
    Posted on Dec 16, 2008 at 08:51 PM

    Hi,

    Yes, Please merge with S_RFC with Firefirhter Role. its secured & required. let me know if you need any more details.

    while using FF ID's all the tcodes stored in log file.

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Can you be a little more specific with security lack issue ? We have a situation, where i wanted not to assign to each user the FF Role , but to implement it to the role every user has.

      If i create a composite role and assign to the user that actually need the role , then i am back to my first situation where the role exists and i need to assign the role to every user .

      Thanks for your effort and help!

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.