Question:
If any of you have been through the ECC upgrade and have run into the new auth object S_RFC_ADM can tell me how to handle it with the tcode SM59 as far as how who should be allowed to have it. I'd like to know your thoughts. Even if it is just on the object itself without the tcode any information would be helpful.
Thanks in advance.
Answer:
If SAP has FINALLY segregated the activites in SM59 with a new object, then you should ONLY allow basis acess to maintian SM59 and allow only view(no test, no remote logon) to other who may need to use SM59, which should be rare.
The main problem with SM59 in prior versions is it is all or nothing and if you have access to it in any system, DEV QAS or PRD,you can generally find a left over rfc connection that allows you to logon to systems you should not be in simply by using the remote logon button.
Not seeing the object has SAP added the object to see if the user is allowed to use the RFC in any application? this would be a major enhancement.
_________________
John A. Jarboe
Answer:
John is there a way I can get a copy of the screen shot to you?
I could send you what it looks like that the documentation. But
here are the fields in the object. S_RFC_ADM
Activity [ACTVT 03]
Internet Communication Framework [ICF_VALUE]
Logical Destination (Specified when the function is called) [RFCDEST]
Type of Entry in RFCDES [RFCTYPE]
Answer:
This object with activity=3 could be used in lot of cross system comparison features especially for security admins, ABAPers when they have to do cross system comparison.
_________________
SAPFAN
Answer:
Should this be given only to Basis Admins then or can it be only given in display mode to other users?
Answer:
SECgirl you can sent the screen shot to johnajarboesap@aol.com.
Three of the 4 fields look promesing but if the only activity is 03, it may prove to be somewhat useless and one of those objects that you may have to give just to use SM59.
THere may be a benefit to it which allows basis to let users look at RFC but only those that basis has tested and ensures you cannot peform a dialog remote logon with. The other ones would be "locked" at least from SM59 is not from use in general.
Perfomr a SM01 aut trace to see what is checkec for both viewing and maintianing.
also use the rfc option i s a RFC enables function module in SE37 to see if SAP is validating the use of the RFC for its use NOT in SM59. Not that is this is similar to the S_DATASET check you may need to SM01 a user that does not have the access to see if it fails as SM01 may not record it but it may show up in SM21.
_________________
John A. Jarboe