Professional Documents
Culture Documents
RFC Security
Technical User Authorization Service
SAP Customer Success - Security Consulting
June, 2020
PUBLIC
The RFC Service with XAMS
Agenda
Your Challenges
As-Is and To-Be picture
RFC Service
Service description (approach and results)
Your Benefits
Service add values
PC / SAP /
Application SAP RFC
RFC Client Firewall Gateway
Gateway Server
Program
Firewall Gateway Gateway Authorizati
Rules Rules Rules ons
Authorizations of interface
users are assigned too broad Interface user accounts are
New Authorizations assigned new and safe
authorizations
authorizations
Approach Results
Evaluation of interface user accounts for Overview over interface user accounts which
naming and authorizations assignments require optimization
Renaming and categorization of interface user Correctly named and grouped interface user
accounts accounts
Installation Xiting Authorizations Management Xiting Authorizations Management Suite usable on
Suite on productive systems productive systems
Monitoring of interfaces over whole time frame Authorization traces for the investigated time
frame
New authorizations assigned to unrestricted
interface user accounts Securely authorized user accounts (need to know
/ least principle) in interfaces
Monitoring of issues during transition from old to
new authorization assignments Ensured non disrupted system operations during
transition
Creation of documentation for respective interface
users Detailed documentation of interface users in
scope
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 9
Optimizing Authorizations of Interface Users
Service Phases
Preparation Phase
– Determination of the scope (Table RFCDES / Connection type 3) for fixed-price service.
– 1 Day Workshop to introduce the procedure and prepare the service plan (remote possible).
Implementation Phase
– Installation of Xiting Authorizations Management Suite on all systems in the RFC landscape.
– Setup of RFC user accounts referred to the naming convention.
– Creation of new authorizations with the Xiting Authorizations Management Suite.
– Roles are grouped by System or RFC application type.
Go-Live Phase
– Observation of the technical RFC user accounts for the next 3 months and fine tuning of RFC users´
authorizations (Remote Support).
– Phased Go-Live procedure with remote support.
– Xiting Authorizations Management Suite agent monitors the RFC users: automated correction and alerts.
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 10
Your Benefits
Hardened RFC Landscape
Audit Proof RFC Authorizations
Smooth & Faultless Rollout
Optimizing Authorizations of Interface Users
Added Value
Duration:
12 weeks
Pricing:
Available upon request.
Pricing is based on number of RFC-Destinations (Type 3).
Request for the Xiting Stocktaker tool to determine the RFC-Destinations in the system landscape.
Contact:
Please contact security.consulting@sap.com for additional information
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 14
Optimizing Authorizations of Interface Users
Ordering Info
Customer name:
Customer address:
OSS data:
Determine all
Detect ALL Determine Build tailored Monitor RFC
authorizations
To Do
STUSOBTRACE
Tools
STUSERTRACE
Avoidance of critical
assignments via black
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC lists 17
Authorization Traces
Overview
Systemtrace (ST01) Authorization Trace in Table Authorization Trace in table Analysis of RFC
File USOB_AUTHVALTRC SUAUTHVALTRC statistic data
Application Server
On Application Server SID global SID global SID global
Client dependent Transaction Client independent Client and user dependent Client and user
User dependent Web-Dynpro Focus on program Every auth check of a dependent
Every auth check gets a RFC-Function Every auth check of a program is catched one time Captures remote
timestamp progam is only catched one for every user (1st catch for called RFMs
time timestamp)
Trace
File
Database
Phase 1 Phase 2
Logging Functional Authorizations with
Logging RFC start authorizations with
Logging UCON Role Build Scenario (S_RFC)
STUSERTRACE (all functional
authorizations)
Assign new role to 1 reference user Assign individual reference user with
which is assigned to the RFC users. new role to individual RFC user
Access to RFMs
Security layer based on roles/ profiles, authorizations
Assign RFMs during the logging, evaluation- or final/check-active phase to the default CA
to expose them) explicitly. At the end of the initial UCON security classification, when all these Logging of RFMs Runtime
Evaluation/
RFMs have reached the final phase, they are all classified as exposed or blocked for external called from Checks
Simulation
access. outside active
8 UCONCOCKPIT Same
Configuration as in DEV
Phase Configuration
The logging and evaluation duration should cover the whole financial year.
Follow the process for new introduced scenarios and RFCs e.g. after an system upgrade
Transport Configuration
It is necessary that you have imported the default CA into PROD before you run the setup in PROD.
Otherwise PROD will not work with the RFMs you expose in DEV (by assigning them to the default CA),
Monitoring Configuration
Needs to be continuously executed to avoid a breakdown of the log facility and to be informed about
changes e.g. expiry date of a phase.
Important Notes (2098702 - Composite note for UCON RFC)
2008727 - Securing Remote Function Calls (RFC) (General RFC note)
2347288 - Corrections of SAP UCON BatchJob to colllect stat data
2342069 - Performance issue caused by inconsistent UCON runtime tables
2253510 - UCON RFC Basic Setup cannot be called
2258762 - Adjust UCON Runtime to be more flexible
2274082 - UCON Export of summarized data
2242819 - UCON RFC Basic: SNC RFC Calls are blocked
2230431 - UCON RFC: Support report to delete UCON setup information
2234448 - UCON RFC: Incorrect Runtime Tables after Import of Communication Assembly
2219467 - UCON blocks RFC calls of Function Modules assigned to a Communication Assembly
2202736 - UCON RFC Transport Sceanario: Setup in productive system asks for transport requests
2203835 - Export UCON stat data results in dump
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 25
Solution Approach Option 1
1 Role for all S_RFC Authorizations
Assigned Assigned
RFC-USER
Check against Check against
1 Reference User 2 direct
Authorizations assignments
Reference User
No Yes
Auth Check Auth Check
Successful? Successful?
No
Yes
Neither the old nor the new role having the
authorizations
To Do: Check the scenario and if the To Do: Assign missing authorizations
To Do: No Additional Actions required
roles are really required. to “Restricted Role”
The STUSERTRACE shows in the column “Additional Information for Check” the origin of the successful authorization check.
The red marked lines are successfully executed BUT the check was just successful because of the direct assigned roles FALLBACK proceeded – Authorizations
are missing in the new role. Action required.
The green marked lines are showing that the first check was already successful with the given reference user authorization. A Fallback was not executed. The new
role was successful tested. No Actions required.
Functional description :
• You have recorded a list of authorization checks using the user trace. You can use this transaction to check
for a selection of users whether the recorded authorization checks would be successful with their current
authorizations or not. This simulation can either take into account all user authorizations or only individual
roles assigned to the users. The trace data can be read from both the local and a remote system.
• Review of the effects of a new role concept. The result of the simulation in a test system is compared with the
result of the authorization check in a productive system.
• Reduction of manual testing
Shipment:
• SAP Note 2442227: STSIMAUTHCHECK: Simulation of authorization checks
Test Production
Import
Simulation of authorization STUSERTRACE: Result of the
checks authorization checks