This week SAP published a paper with the Monthly SAP Notes titled Securing Remote Function Calls (RFC) which outlines guidelines on the best practices to configure different RFC security features. In this post we will focus on two of the newest features in the paper:
- Switchable Authorization Checks
- RFC Callback White-lists
Switchable Authorization Checks
This new concept is related to a common problem while implementing SAP Notes or Support Packages, as stated in page 19 of the document:
Authorization checks that are newly introduced in existing RFC function modules through SAP Notes or through support packages can interrupt business-critical system communication if legitimate users do not have the newly introduced authorization.
To enable a nondisruptive evolution of authorization checks, SAP introduced switchable authorization checks in all software systems based on SAP NetWeaver AS for ABAP 7.0 and higher.
When an action is executed, let’s say through a transaction, the system checks that the user has the authorization object S_TCODE and then, inside the transaction code, the system should check for specific authorization objects related to the action to be executed.
Likewise, when an action is executed through an RFC function something similar must happen. In this case, the system should check for the authorization object S_RFC (this can be changed with the profile parameter auth/rfc_authority_check) instead of S_TCODE and also check for specific authorization objects related to the action to be executed.