07-12-2010 11:49 AM
Hi,
We use SAP Jco Library to connect SAP systems in our applications. Within the aplication we make BAPI calls to the SAP system for various operations. A typical BAPI calls we make are BAPI_DOCUMENT_CREATE, BAPI_DOCUMENT_GETLIST, BAPI_EQUI_GETLIST etc.
For these BAPI calls it is must that the user needs SAP_ALL and SAP_NEW profile added to his profile. I would be interested to know what is the minimal profile the user needs to make these BAPI calls?
Is there a document/link which talks about the minimum roles\profile needed for different BAPI calls byt the user.
Regards,
Naveen
07-12-2010 12:47 PM
there's a couple of notes on that:
[452508|https://service.sap.com/sap/support/notes/452508] describes RFC-connects coming from a portal.
[129795|https://service.sap.com/sap/support/notes/129795] does the same for connect via Session Manager
... there are a couple of others - a quick search in SMP will reveal the others.
as for your BAPIs: obviously you will need the authorizations for whatever the BAPI wants - some BAPI's require transaction code, several organisational values - e. g. creating CS-orders uses most of the I_* objects as well as the t-code for IW31.
But that is about all - you do not need SAP_ALL and/or SAP_NEW - in fact: try to avoid it - reduce the RFC-users to what they need and no more. Keep to using BAPIs for your development, as they are much more trustworthy (securitywise) than other RFC-FM's/methods.
In the SDN security forum are some sticky threads where you might find additional information in that direction. Its worth a look, Julius goes to great length of pain to make them interesting.
07-12-2010 12:33 PM
Hi,
Please refer below link. It might help.
http://help.sap.com/erp2005_ehp_04/helpdata/EN/95/1632edba9511d29e310000e839cd96/frameset.htm
07-12-2010 12:47 PM
there's a couple of notes on that:
[452508|https://service.sap.com/sap/support/notes/452508] describes RFC-connects coming from a portal.
[129795|https://service.sap.com/sap/support/notes/129795] does the same for connect via Session Manager
... there are a couple of others - a quick search in SMP will reveal the others.
as for your BAPIs: obviously you will need the authorizations for whatever the BAPI wants - some BAPI's require transaction code, several organisational values - e. g. creating CS-orders uses most of the I_* objects as well as the t-code for IW31.
But that is about all - you do not need SAP_ALL and/or SAP_NEW - in fact: try to avoid it - reduce the RFC-users to what they need and no more. Keep to using BAPIs for your development, as they are much more trustworthy (securitywise) than other RFC-FM's/methods.
In the SDN security forum are some sticky threads where you might find additional information in that direction. Its worth a look, Julius goes to great length of pain to make them interesting.
07-12-2010 12:48 PM
Authority Check is performed by the bapi by default...if the sy-user is authorized for the transaction then it will allow to execute....bapi ....!