SAP Security outside in

5 pts.
SAP security
Security Program Management
Visual Basic
Question, I came to this company 1yr ago and noticed immediately they had not implemented Security!!! SAP_ALL for everyone in Production!!! So as my second BIG project I took on, Security. In building the profiles for these people I came across 2 problems which are holding me from rolling out these profiles I built, which are based on the same problem, an outside system coming into SAP. Since everyone had SAP_ALL or NEW we had no problems but restricting the Authority has shut down the operation and accessibility of these 2 outside systems which are very necessary. 1st problem and biggest is we have a VB frontend to SAP for easy order taking for Custom Service Dept. I found out the design/programmer used a VB call into SAP via a VB BAPI that will allow MS into SAP. He did not setup an RFC via SM59 or a Trusted RFC, and has no call for Call Function: for Authority_Check_RFC in the VB program, which prevents the Login and Security check being passed allowing access! I told them this would not work with out the Call Function: from the VB program as a start and if it doesn’t work we need to do the RFC via SM59 or STV1. It’s gotten personal and they think I have not setup S_RFC with proper Authorization but in order to do that you need Object Group AAAB, take S_RFC and throw out the rest, but I still don’t see that as a solution w/o the Call Function in the VB program! What say you?

Answer Wiki

Thanks. We'll let you know when a new response is added.


i don’t know much about VB…

but its UNBELIVEABLE that all the users in your company are using SAP_ALL.

the risks to this, is simply unquantifiable…

if a VB application is connecting to your SAP system to view information, like you said,

there has to be an RFC connection between both systems,

in which case the Target host and IP addresses would have to be defined in SM59…

and an appropriate system user created or setup (maybe ALEREMOTE) to be used for logon across both applications.

doin this means that setting up the Authorization Object S_RFC…under Object Class AAAB.

you will also need to re-build from scratch (define as per the business, build and implement, test, and deploy a whole new security & authorization design) for your company. this is very, very important.

make use of TX SU24 as is necessary to maintain the Transactions and Authorization Objects required by your users.

it will take a lot of effor and time as you will have to refine your design as to enable you capture for each business unit and role, only the Authorization Objects and Transaction, that they only need.


Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Acute0
    1112gene have you resolve dthis already. Can you please share how you did it? Thanks ina dvance I am exploring means to shut down similar access as well Thanks
    10 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: