SAP Authorizations Grant permission for external services from SAP CRM

Direkt zum Seiteninhalt
Grant permission for external services from SAP CRM
Role Management
Behind this RFC connection is a Trusted-RFC connection in the ERP system of the system landscape with the naming convention *_RFC. We recommend that you keep the name of the RFC connection for each ERP system in the system landscape and only change the connection data in the RFC connections. You do not need to customise your PFCG roles for the development, test, and production environments. Note that when mixing the single reel with the reel collectors, you will need to maintain the RFC connection in the roll menu of the pulley!

The basic idea of the approach described below is to evaluate the previous usage behaviour (reverse engineering) for the definition of the required permissions. In the first step, you configure the retention time of usage data, because each SAP system logs the calls to bootable applications. This way, not only the user, at what time, what transaction, but also the user, which function block was called. These data are then condensed into daily, weekly and monthly aggregates and stored for a specified period. This statistical usage data is originally intended for performance analysis; You can also use them to determine the permissions you need. We described the configuration of the retention time of the statistical usage data in Tip 26, "Use usage data for role definition". Please also refer to our explanations on the involvement of your organisation's co-determination body in the storage and use of the statistical usage data. In addition to the settings described in Tip 26, you should also adjust the retention time for the RFC Client Profile (WO), RFC Client Destination Profile (WP), RFC Server Profile (WQ), and RFC Server Destination Profile (WR) task types using the SWNCCOLLPARREO Care View.
Copy the user from the Clipboard to the Transaction SU10 selection
An alternative to using the S_TABU_LIN authorization object is to create custom table views that make organisational delimitation easier to achieve. To do this, create a new view in the SE11 transaction and add the table to which the constraint will apply on the Tables/Join Conditions tab. The Selection Conditions tab allows you to specify your restrictive organisational condition in the form of a field and a field value. You then authorise all relevant users to access the view, which contains only data for your organisational restriction.

SAPCPIC: SAPCPIC is not a dialogue user, but is used for EDI usage in older releases (EDI = Electronic Data Interchange); in default, SAPCPIC has permissions for RFC access. However, you should not use this user for them, nor for batch processes, but you must create other users for these applications. Safeguard measures: Lock down the user, change the password, assign it to the SUPER user group and log it with the Security Audit Log.

Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.

So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.

Since the introduction of the security policy in SAP NetWeaver 7.31, this report has changed.

Technically, the fields that are in the context of testing the startup capability of an application are excluded, i.e. the fields of the S_TCODE, S_START, S_USER_STA, S_SERVICE, S_RFC, S_PROGRAM and S_USER_VAL authorization objects.
SAP Corner
Zurück zum Seiteninhalt