Daniel Berlin on Security Insight on SAP security, development stuff… and all the rest

12Sep 13

Mastering S_RFC authorizations // Part 2

Hello again.
After a relaxing summer holiday, it's time to fulfill the promise I made in my last post and provide the evaluation report for our log of RFC calls.
If you don't know what I'm talking about, please read the first part of this article.

Evaluation report

This report basically parses the RFC log and shows the function groups that would've been required to execute the called modules.
In addition, it finds out, whether the respective users currently have the required S_RFC authorization — therefore, it allows you to focus on those entries, where the authorization is missing.

Installation:

  • Create a new program in SE38 and copy-paste this source code.
  • Set a program authorization group in the attributes section.
  • Activate the program & execute it.

Usage

The selection screen should be rather self-explanatory:

Selection screen of report ZS_STAD_EXTRACT_RFC_CALLS

There is only one noteworthy feature: the "Client" field is pre-filled with all clients, for which no RFC connection could be determined automatically. The report checks the logical systems for all local SAP clients and tries to reach them via the assigned RFC connection (that should normally work in a well-configured system :wink:). If this attempt fails, the respective client is excluded from the evaluation. Just log on to the excluded client(s) and run the report locally – this will always work!

The screenshot below shows an exemplary result. All lines with function groups, for which authorizations exist, are hidden per default; to unhide them, just remove the filter (marked in red below).

Result list of report ZS_STAD_EXTRACT_RFC_CALLS

The icons in the "Auth. check" column have the following meaning:

Icon: User is authorized » User has the required authorization — filtered out per default
Icon: User is not authorized » S_RFC authorization is missing — this is what we're interested in
Icon: User is locked » User is locked
Icon: User does not exist » User does not currently exist

Ciao!

Comments (0) Trackbacks (0)

No comments yet... you could be the first!




Leave a comment


No trackbacks yet.