Skip to Content

Tip: How To Analyze Missing RFC Authorization Objects with CCo

Hello community,

to create a user ID with the correct (minimal) rights to call an RFC function modul you can use CCo and the following method.

  1. Create a new user ID with the TAC SU01, e.g. ZRFCTEST, with the user type Communication and don’t set any role assignments.

  2. Try a simple connect with the following script:

        Option Explicit
        Dim SAP, hRFC, rc
       Set SAP = CreateObject("COMNWRFC")
       If IsObject(SAP) Then
        hRFC = SAP.RfcOpenConnection("ASHOST=ABAP, SYSNR=00, " & _
          "CLIENT=000, USER=ZRFCTEST, PASSWD=minisap")
        If hRFC Then
          MsgBox "Check connection with TAC SMGW in the SAP system"
          rc = SAP.RfcCloseConnection(hRFC)
        End If
        Set SAP = Nothing
      End If

  3. Now, when you execute the script, you get the following error message:
    Also you can find more information with the TAC ST22.


  4. Now create with the TAC PFCG a new role, e.g. ZRFCTEST, and maintain the authorization data. Add manually the authorization object S_RFC.


  5. Add the activity execute (16) with the type function group and the name SYST, as you see in the error message.


  6. Generate the role and add user ID in the user tab. Now you see the role in the role tab of TAC SU01.

  7. Now all should work as expected.



With this method you have the possibility to analyze missing S_RFC authorization objects with your script step by step and to create therewith a user with the correct (minimal) authorization objects. As you can see from this example a simple RfcOpenConnection needs the S_RFC authorization object with activity execute and the function group SYST.

Hint: In newer SAP releases you have also the possibility to name the function module.


Enjoy it.


Be the first to leave a comment
You must be Logged on to comment or reply to a post.