A Word about RFC-Security in the Context of Calls from Scripting Languages
Every once in awhile in discussions with script programmers I think it is unclear that remote function calls (RFC) is not an open gate. It seems that script programmers commonly believed that RFCs are medicine to heal every or almost every problem, but, even if it seems obvious, it isn’t.
An RFC-enabled function module offers an interface which is accessible from non-ABAP programs, like a scripting language.
The first check which the SAP system performs automatically, if an RFC-enabled function module is called, is to check the S_RFC authorization object. If your user profile doesn’t contain this authorization object you can’t call an RFC-enabled function module – and there is no way around. In a normal case a dialog user doesn’t have this object, it is primary for communication or key users.
SAP offers a lot of RFC-enabled function modules, e.g. like RFC_READ_TABLE. Each of this RFC-enabled function modules contains an authority check, this means each function module calls VIEW_AUTHORITY_CHECK to check whether the user is allowed to perform the action. The profile of an user stores the possible authorization objects. If your user profile doesn’t contain a necessary authorization object you can call the RFC-enabled function module, but the function module raises an exception.
Last but not least it is possible that the security audit log of an SAP system is enabled – transaction code SM19 to administer the security audit log and SM20 to analyse it. It logs each RFC connection and function call.
As we see it is a good and secure compound. The user identification of a programmer, which uses in a scripting language an RFC, must have the correct authorization objects, otherwise it is not possible to use an RFC-enabled function module. As we see it is more or less complex to get and set the correct authorization objects and it is not a good idea to set the SAP_ALL profile to any user.
If RFC-enabled function modules are to be used with a scripting language on a production system it is the right way to set the authorization objects with tact to open the gate not more or less than necessary. And we as a script programmer must be sensitive for this requirement.