SAPNote 1682316

RFC Security
Technical User Authorization Service
SAP Customer Success - Security Consulting
June, 2020

PUBLIC
The RFC Service with XAMS
Agenda

Secure RFC Configuration

 Overview

Your Challenges
 As-Is and To-Be picture

RFC Service
 Service description (approach and results)

Your Benefits
 Service add values

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 3

Secure RFC Configuration
Overview

RFC Security Gates

 The Remote Function Call is one of the most used communication types for SAP.
 There are several gates to secure the RFC communication to the RFC server.
 Client and network settings are protecting the way to the target server.
 The weakest RFC Client / Server in the trust network endangers all the others.
 Finally the whole RFC-Security depends on the quality of the RFC user´s authorizations.

Harden your RFC Chain

PC / SAP /
Application SAP RFC
RFC Client Firewall Gateway
Gateway Server
Program
Firewall Gateway Gateway Authorizati
Rules Rules Rules ons

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 4

Your Challenges
 Setup of Tailored RFC Authorizations
 Efficient RFC Authorization Build
 Sustainable and Solid RFC Roles
 Smooth & Faultless Rollout
RFC Optimization Service
Targets
Your Situation Your Benefit
 You are running SAP Systems which  The RFC interface users are observed
communicate to each other via RFC during operational tasks via Xiting
Authorizations Management Suite (XAMS)
 Your RFC Interface users have too broad
authorizations e.g. SAP_ALL or comparable  Implementation of the „Principle of Least
authorizations Privilege“ approach

 The reduction of authorizations and  Setup of re-usable roles for further

renaming of RFC accounts represents a risk comparable scenarios
for you
 Authorization problems are detected during
 Productive RFC transactions could be adjustment in an early phase via XAMS
disturbed because of changed authorizations
 3 Month license for the Xiting Authorizations
Management Suite for further usage
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 6
The Transition
As-Is  To-Be

As-Is Situation Approach To-Be Situation

 Correct naming following
 Wrong naming for RFC user Renaming naming convention
accounts
 Interface user types are
 Interface user accounts are Adaption of User Type switched over to type
of type “communication” “system”

 Interface users are wrongly or  Interface users are grouped

not grouped Grouping by usage type

 Authorizations of interface
users are assigned too broad  Interface user accounts are
New Authorizations assigned new and safe
authorizations
authorizations

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 7

The RFC Service
 Automated RFC Authorization Build
 Established Implementation Approach
 Proven Standard Scenario Templates
 Monitoring Support after Rollout
Optimizing Authorizations of Interface Users
Approach and Results

Approach Results
 Evaluation of interface user accounts for  Overview over interface user accounts which
naming and authorizations assignments require optimization
 Renaming and categorization of interface user  Correctly named and grouped interface user
accounts accounts
 Installation Xiting Authorizations Management  Xiting Authorizations Management Suite usable on
Suite on productive systems productive systems
 Monitoring of interfaces over whole time frame  Authorization traces for the investigated time
frame
 New authorizations assigned to unrestricted
interface user accounts  Securely authorized user accounts (need to know
/ least principle) in interfaces
 Monitoring of issues during transition from old to
new authorization assignments  Ensured non disrupted system operations during
transition
 Creation of documentation for respective interface
users  Detailed documentation of interface users in
scope
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 9
Optimizing Authorizations of Interface Users
Service Phases

Preparation Phase
– Determination of the scope (Table RFCDES / Connection type 3) for fixed-price service.
– 1 Day Workshop to introduce the procedure and prepare the service plan (remote possible).

Implementation Phase
– Installation of Xiting Authorizations Management Suite on all systems in the RFC landscape.
– Setup of RFC user accounts referred to the naming convention.
– Creation of new authorizations with the Xiting Authorizations Management Suite.
– Roles are grouped by System or RFC application type.

Go-Live Phase
– Observation of the technical RFC user accounts for the next 3 months and fine tuning of RFC users´
authorizations (Remote Support).
– Phased Go-Live procedure with remote support.
– Xiting Authorizations Management Suite agent monitors the RFC users: automated correction and alerts.
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 10
Your Benefits
 Hardened RFC Landscape
 Audit Proof RFC Authorizations
 Smooth & Faultless Rollout
Optimizing Authorizations of Interface Users
Added Value

 Secure, reusable and documented RFC interface accounts and their

authorizations

 Simple maintenance of the RFC interfaces with maintained

authorization proposal values (SU24)

 Internal auditing requirements covered

 Ensured non-disrupted productive operations during transition with

intense monitoring

 Possible use of provided tools (Xiting Authorizations Management

Suite) in other scenarios, saving costs and enhancing security

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 12

Consulting Service – SAP Note 1682316
Authorizations Optimization of Interface Users
This service allows you to enhance the security level of your SAP landscapes by cleaning up too broad authorizations for technical users used for
interface operations. Additionally you can reduce the complexity for user administration by deploying a consistent naming convention and optimizing
SU24 values.

Business needs Pricing

 You operate SAP to SAP and SAP to "non SAP" Systems over RFC interfaces.
 The Interface User accounts have too broad authorizations.  Upon request
 You intent to limit the authorizations in a manageable time frame and without having productive risks.  Please contact us directly over
 You would like to take an advantage to optimize your SU24 FUBA authorization values. security.consulting@sap.com

Delivery approach and scope

 Initial workshop to discuss the your SAP landscapes, RFC connections and technical used accounts.
 Authorization Management Suite (XAMS) is installed on all according SAP systems in scope via data transport.
 Technical user accounts are traced for authorization checks.
 Initial roles are built from the trace data (ST03N) in an automated way.
 Ongoing automated adjustments over a time frame of up to three months.
 New technical user accounts are created with a consistent naming convention and assigned new authorizations.
 Changes in accounts and authorizations are monitored at the end of delivery during a scaled change phase (remote
support).

Value and benefits

 The software based analyzation will be done via Authorization Management Suite.
 Smart and secure investigation of technical user accounts in productive use.
 Automatic way to assign new user accounts along best practice authorizations.
 New Roles are created automatically after system monitoring.
 Any interruption of productive environment

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 13

Optimizing Authorizations of Interface Users
Requirements and Preconditions

The following requirements must be met:

 ABAP based application server, release 7.00 and higher
 Remote access
 Infrastructure setup documents, interface architecture plans etc.

Duration:
 12 weeks

Pricing:
 Available upon request.
 Pricing is based on number of RFC-Destinations (Type 3).
Request for the Xiting Stocktaker tool to determine the RFC-Destinations in the system landscape.

Contact:
 Please contact security.consulting@sap.com for additional information
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 14
 Optimizing Authorizations of Interface Users
Ordering Info

 Customer name:

 Customer address:

 Name of customer contact:

 Telephone number of customer contact:

 E-mail address of customer contact:

 SAP customer number:

 Planed service delivery date:

 OSS data:

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 15

The RFC Service with SAP Standard Tools
 RFC Authorization Clean-Up SAP Consulting Service

SAP Standard & Service Approach SAP Standard Capabilities (7.31/7.40)

Determine all
Detect ALL Determine Build tailored Monitor RFC
authorizations
To Do

Inbound and which user / roles. users and react

needed for
Outbound destination has IMMEDIATALY
used function Individual but
RFCs of a executed which on authorization
module also re-usable
System function module errors
(Z-Code)

STUSOBTRACE
Tools

SU24 RFC Scenario Reference

ST03N STAUTHTRACE UCON
(NW 7.40)
Templates User Concept

STUSERTRACE

Automatic Retrieval Automatic Delivered Content Automatic Assignment

Automatic Role
of SU24 Values assignments via with more than of failed authorization
Menu Creation
Build

statistic data 2500 templates checks

Avoidance of critical
assignments via black
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC lists 17
Authorization Traces
Overview

Transaction Transaction Transaction Transaction

STAUTHTRACE STUSOBTRACE STUSERTRACE STRFCTRACE

Systemtrace (ST01) Authorization Trace in Table Authorization Trace in table Analysis of RFC
 File  USOB_AUTHVALTRC  SUAUTHVALTRC statistic data
Application Server
 On Application Server  SID global  SID global  SID global
 Client dependent  Transaction  Client independent  Client and user dependent  Client and user
 User dependent  Web-Dynpro  Focus on program  Every auth check of a dependent
 Every auth check gets a  RFC-Function  Every auth check of a program is catched one time  Captures remote
timestamp progam is only catched one for every user (1st catch for called RFMs
time timestamp)
Trace

File
Database

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 18

Approach 1: Role Build Process
1 Role for all S_RFC Authorizations in Phase 1 + Extension in Phase 2

Phase 1 Phase 2
Logging Functional Authorizations with
Logging RFC start authorizations with
Logging UCON Role Build Scenario (S_RFC)
STUSERTRACE (all functional
authorizations)

Build UCON Communication Assembly Assign functional authorization values

(CA) for ALL Functions to SU24 proposal values for each RFM

Assign CA to One RFC Role and Assign functional module to individual

Build deactivate upcoming proposal values role for technical user

Assign new role to 1 reference user Assign individual reference user with
which is assigned to the RFC users. new role to individual RFC user

Monitor and Detect missing

Monitoring authorizations and assign new RFMs

Reduced Start Authorizations Reduced Functional Authorizations

Result for RFC for the Function Module
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 19
RFC Protection with UCON
Result – Layer of Defense

Access to RFMs Our Experience from

different industries of
Attack Surface
UCON Reducton for RFCs
Runtime
checks on UCON Layer.

New security layer with UCON Checks ~ 98 %

User dependent authorization refinement
S_RFC
checks

Access to RFMs
Security layer based on roles/ profiles, authorizations

User dependent authorization refinement

Functional
Checks
Security layer based on roles/ profiles, authorizations
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 20
UCON – Example
Results after 1 Year of Logging

Available and Open Remote Enabled Function Modules in Customer System:

41596
Called RFMs – including generated RFMs 420
Called RFM – without generated RFMs 215
Potential Attack Surface Reduction (Generated RFMs are still open) -98,99%

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 21

UCON – Example
Results after 1 Year of Logging

Incoming RFC Users with ALL RFC Authorizations (S_RFC = *) 50%

Logging Results for Users with SAP_ALL :

User Effectively Called RFMs Reduction

Experience:
RFC_USER_1 31 -99.92%
RFC_USER_2 23 -99.94%  UCON improves the RFC security on the first layer with
RFC_USER_3 20 -99.95% manageable effort.
RFC_USER_4 18 -99.95%  UCON mitigates other RFC security challenges to a
RFC_USER_5 11 -99.97% certain extent – e.g. S_RFC with *
RFC_USER_6 9 -99.97%  UCON is in the meantime in action on high volume retail
RFC_USER_7 4 -99.99% systems without serious challenges.
RFC_USER_8 3 -99.99%
RFC_USER_9 3 -99.99%
RFC_USER_10 3 -99.99%

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 22

UCON
Phase Configuration

Assign RFMs during the logging, evaluation- or final/check-active phase to the default CA
to expose them) explicitly. At the end of the initial UCON security classification, when all these Logging of RFMs Runtime
Evaluation/
RFMs have reached the final phase, they are all classified as exposed or blocked for external called from Checks
Simulation
access. outside active

The Logging Phase

 Find out which RFMs are called from outside in the system to be protected.
 Default duration 90 days
 Note: It is recommended to have events like the end of year closure included
 End of logging phase (indicated by a CCMS warning and the UCON Phase Tool).

The Evaluation Phase:

 Find out whether you have forgotten to expose any RFMs.
 Default duration 120 days
 End of Evaluation Phase (indicated by a CCMS warning and the Phase Tool).

The Active Check Phase

 The external access to all other RFMs (not assigned to the default CA) is blocked.
 Each attempt to reach an RFM blocked by UCON checks terminates the session on the server side, leads to a system log entry (SM21), and is indicated by a
CCMS error.
 UCON RFC security classification of RFMs that are new in the system (either created there or imported) are automatically assigned to the logging phase and make
their own way through the phases (not if you have configured it with the secure by default option).
 If you need more time for the classification of a particular RFM, that is do decide as to whether to expose it or not, you can manually re-assign it to the logging or
evaluation phase.
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 23
UCON
Configuration Overview for UCON in a Transport Landscape
1 Activate Profile Parameter
Choose the transport
3 Unified Connectivity Select PROD-SID in 12 2 Schedule Batch Job
11 request and save
Customizing Phase tool and assign
the expired and Assign all expired RFMs to the
13
Choose a transportable authorized RFM to the Evaluation Phase and choose a Configure duration of the
6
Communication CA transport request for the state objects logging and
Assembly + “Transport evaluation phase in the
of State Objects” Release Import UCON Customizing
14 15
Transport Transport
The duration of the
DEV PROD phases should be the
Repeat for
4 Assign the default CA, 16
Last Phase same as in DEV
the VHs and the state
objects to transport
CSV Import of CSV Export of Import the transports
requests 10 9 RFC Call 7
RFC Call with default CA, VHs
Statistics after Statistics after and configurations, and
end of logging end of logging state objects from DEV
5 Release Transport phase phase into PROD.

8 UCONCOCKPIT Same
Configuration as in DEV

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 24

UCON
Recommendations

Phase Configuration
 The logging and evaluation duration should cover the whole financial year.
 Follow the process for new introduced scenarios and RFCs e.g. after an system upgrade
Transport Configuration
 It is necessary that you have imported the default CA into PROD before you run the setup in PROD.
Otherwise PROD will not work with the RFMs you expose in DEV (by assigning them to the default CA),
Monitoring Configuration
 Needs to be continuously executed to avoid a breakdown of the log facility and to be informed about
changes e.g. expiry date of a phase.
Important Notes (2098702 - Composite note for UCON RFC)
 2008727 - Securing Remote Function Calls (RFC) (General RFC note)
 2347288 - Corrections of SAP UCON BatchJob to colllect stat data
 2342069 - Performance issue caused by inconsistent UCON runtime tables
 2253510 - UCON RFC Basic Setup cannot be called
 2258762 - Adjust UCON Runtime to be more flexible
 2274082 - UCON Export of summarized data
 2242819 - UCON RFC Basic: SNC RFC Calls are blocked
 2230431 - UCON RFC: Support report to delete UCON setup information
 2234448 - UCON RFC: Incorrect Runtime Tables after Import of Communication Assembly
 2219467 - UCON blocks RFC calls of Function Modules assigned to a Communication Assembly
 2202736 - UCON RFC Transport Sceanario: Setup in productive system asks for transport requests
 2203835 - Export UCON stat data results in dump
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 25
Solution Approach Option 1
1 Role for all S_RFC Authorizations

 The Solution Approach with Option 1 provides for ACME

– A quick win
– Easy setup and maintenance
– Still a tremendous improvement comparison to todays situation
– The disadvantages regarding S_RFC authorizations and the functional authorizations can be managed without
additional effort.

Approach – Step 1 – Reduction of S_RFC Authorizations:

 UCONCOCKPIT: Create 1 Communication Assembly in UCON and Assign all RFMs in the Role Build Scenario View.
 PFCG: Create One Role exclusive for RFC authorizations and assign the CA to the menu.
 PFCG: Deactivate all incoming authorization objects proposal beside S_RFC since this role is exclusive for S_RFC
 SU01: Create one reference user, assign the new S_RFC role and assign the reference user to all RFC-Users.
 STUSERTRACE: This trace is the best option. Activate the trace with the filter RFM and the RFC users.
 Monitoring: Check if there are authorization fallbacks to the old RFC role for S_RFC and ensure that S_RFC is working
properly.
 PFCG: Remove the S_RFC authorizations from the old RFC roles

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 26

Solution Approach Option 1
1 Role for all S_RFC Authorizations

Approach – Step 2 – Reduction of Functional Authorizations:

 STUSERTRACE: Trace all the functional authorizations for the RFMs (this happens already since the first
configuration)
– Note: STUSOBTRACE could be an alternative to the STUSERTRACE. The USOB is not as fine granular
than STUSER but provides also a massive reduction of functional authorizations.
 PFCG: Create a new role with the functional authorizations for the RFC user. These authorizations are now
in comparison to the S_RFC functions more fine granular.
 SU24 & PFCG: Maintain the proposal values and assign the Remote Function Module (not the CA anymore)
to the role and run the mode in expert mode and finish the role.
 SU01: Create a reference user but now for each single RFC-User because the functional authorization
check is now fine granular and specific for each user.
 Monitoring: Check if there are authorization fallbacks to the old role for and ensure that ALL authorizations
are now called properly (this means they are called via the reference user).
 SU01: Remove the old authorizations and assign the proven roles now directly to the user instead via the
reference user.
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 27
RFC Authorizations Fallback
Check Sequence Details
1. Incoming RFC-Call for User Master

Assigned Assigned

RFC-USER
Check against Check against
1 Reference User 2 direct
Authorizations assignments

Restricted Direct Role

Role (Unrestricted)

Reference User

No Yes
Auth Check Auth Check
Successful? Successful?
No
Yes
Neither the old nor the new role having the
authorizations

To Do: Check the scenario and if the To Do: Assign missing authorizations
To Do: No Additional Actions required
roles are really required. to “Restricted Role”

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 28

RFC Authorizations Fallback
Result in STUSERTRACE

 The STUSERTRACE shows in the column “Additional Information for Check” the origin of the successful authorization check.
 The red marked lines are successfully executed BUT the check was just successful because of the direct assigned roles  FALLBACK proceeded – Authorizations
are missing in the new role. Action required.
 The green marked lines are showing that the first check was already successful with the given reference user authorization. A Fallback was not executed. The new
role was successful tested. No Actions required.

Setup for RFC Fallback scenario

 Fallback: Keep the authorizations as it is today with the direct assignments, since these roles are already proven and productive.
 New Roles: Create for each RFC-User the corresponding reference user (naming convention proposal: prefix/suffix ends with REF_) and assign the reference user
to the RFC-user.

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 29

Simulation of authorization checks
STSIMAUTHCHECK

Functional description :
• You have recorded a list of authorization checks using the user trace. You can use this transaction to check
for a selection of users whether the recorded authorization checks would be successful with their current
authorizations or not. This simulation can either take into account all user authorizations or only individual
roles assigned to the users. The trace data can be read from both the local and a remote system.
• Review of the effects of a new role concept. The result of the simulation in a test system is compared with the
result of the authorization check in a productive system.
• Reduction of manual testing
Shipment:
• SAP Note 2442227: STSIMAUTHCHECK: Simulation of authorization checks

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 30

Simulation of authorization checks
STSIMAUTHCHECK

Test Production

New authorization concept : Existing authorization concept:

User New roles 1..n User Roles 1..n

Validation of the new roles Logging the

against authorization checks from Authorization checks
production

Import
Simulation of authorization STUSERTRACE: Result of the
checks authorization checks

© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 31

Thank you.
Contact information:
SAP Customer Success
Intelligent Delivery Group DTS GRC/SEC
SAP Deutschland AG & Co. KG
Hasso-Plattner-Ring
69190 Walldorf

T: +49 6227 7-52489

F: +49 6227 78-24540
E: security.consulting@sap.com