SAP RFC Authorizations

The proper SAP authorizations must be obtained before connecting to the server. It is a recommended SAP security practice to not allow RFC and DIAG access to the same user ID.

The basic authorization object used to secure RFC access is:

S_RFC: Secures the Function Group (located in authorization object class AAAB).

  • Authorization Object+S_RFC:
    • Authorization Field:RFC_TYPE
    • Authorization Value: “FUGR’ is the only valid value.
    • Authorization Field: RFC_NAME
    • Authorization Value: The name of an activated function group. For example: (“ABCD”) or ‘*’.
    • Authorization Field: ACTVT
    • Authorization Value: 16 (Execute) is the only valid value.

Individual function modules may have additional security inside their executable code. It is the requirement of the function developer or application creator to inform the users of the function or application of the authorization requirements to use the function or application. Consult the administrator to determine if there are additional authorizations required.

Individual tables may be secured from access by using the following authorization object:

S_TABU_DIS: Secures tables (located in authorization object class BC_A)

  • Authorization Object+S_TABU_DIS:
    • Authorization Field: DICBERCLS: Or (“Authorization Group”).
    • Authorization Value: For example, Table: MARA is in group “MA”.
    • Authorization Field: ACTVT
    • Authorization Value: 03 (Display)

    For a complete explanation on using this authorization object, see the SAP system documentation.

Once the correct credentials are specified for the adapter target and the correct authorizations are assembled on the SAP application system, the adapter is ready to be initialized.

2 thoughts on “SAP RFC Authorizations