Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

List allowed methods while connecting via RFC?

Tags:

sap

pyrfc

saprfc

I can connect as user "foo" with password "bar" via SAP-RFC from my machine to the SAP server. Is introspection possible via SAP-RFC?nI would like to know which methods user "foo" is allowed to execute. I am using PyRFC, but AFAIK this should not matter for this question.

According to user Suncatcher it is not available out of the box.

My SAP knowledge is limited up to now. But wouldn't it be possible to loop like this pseudo code? (This code should run (as ABAP) inside in SAP and could be exposed via RFC)

user = 'foo'
allowed_methods = [] # empty list
for func in get_all_functions_which_are_exported_via_rfc():
    if not check_if_user_has_permission_to_call_rfc_function(func, user):
        # not allowed
        continue
    # user is allowed
    allowed_methods.append(func)
return allowed_methods
like image 730
guettli Avatar asked Aug 08 '18 06:08

guettli


People also ask

Can RFC connections be used across the entire system?

RFC connections can always be used across the entire system.This means that an RFC connection you have defined in client 000 can also be used from client 100 (without any difference). RFC is the protocol for calling special subroutines ( function modules) over the network.

Which user type should I use for RFC scenarios?

General comment: Please use the user type SYSTEM for all RFC scenarios and NOT the user type COMMUNICATION. Main reasons are that SYSTEM type users cannot change their own passwords at interactive logon-time (e.g. via http) and are not required to either by the password rules. They also cannot issue SAP Logon Tickets to remote http callers.

What to do when new users are added to RFCs?

When your new target users are ready, then switch the RFC logon data in the calling systems (SM59) to the new dedicated ID and PWD and keep an eye on ST22 for dumps incase you got something wrong Monitor the RFC calls on the new users with the Security Audit Log dynamic filters in transaction SM19 to be able to build their role later.

How do I setup an RFC connection?

Step 1: Procedure to setup an RFC connection: Enter Transaction Code SM59. In the SM59 screen, you can navigate through already created RFCs connection with the help of option tree, which is a menu-based method to organize all the connections by categories. Click the 'CREATE' button.


1 Answers

I would like to know which methods user "foo" is allowed to execute.

There is no such entity as method in terms of SAP authorization concept, so you cannot list allowed methods.

You only can get list of assigned roles for your user from the table AGR_USERS (if you have permissions to read it :), and then try to determine which function modules, tcodes, programs you are allowed to call. As we a speaking about RFC, I assume you are interested in function modules. But the detection of all available RFC-enabled FMs requires separate and not very simple development.

So the answer is NO. You cannot list them out-of-the-box.

like image 84
Suncatcher Avatar answered Sep 29 '22 09:09

Suncatcher