Each user in SAP has set of authorisation profiles associated with them. These authorisation profiles represent the roles that the person undertakes in their day-to-day work. For example, an Accounts Payable clerk would have an authorisation profile for making payments to vendors. This authorisation profile consists of a number of SAP authorisations. Typically, a user would have several roles and hence have several authorisation profiles. This is often described as the user profile.
The way that Weavecentrix Desktop communicates with SAP means that a user will typically have to have another authorisation profile added to their user profile. This is required by SAP for RFC transactions.
The SAP RFC authorisation object S_RFC performs security checks on RFC calls to your SAP system. The way that the S_RFC authorisation object is called can be controlled in the SAP System Parameters. It is not unusually to have this set up differently in sandpit systems as compared to production systems.
You can review your system parameters with transaction TU02 or by running the SAP report RSPARAM using transaction SA38.
In the report, look for the entry for Auth/rfc_authority_check. This parameter determines how the object S_RFC is checked during RFC calls. The object has three fields: activity; the name of the function being called and the function group in which the function resides. The parameter defines whether the S_RFC object is checked and if so, whether the function group field is included in the validation. There are three different settings for this value as shown below. The default value is "1".
· Value = 0, no check against S_RFC
· Value = 1, check active but no check for SRFC-FUGR
· Value = 2, check active and check against SRFC-FUGR
The SAP authorisation object S_RFC can be used to restrict access to program groups, typically function group access. The authorisation object contains three fields:
· RFC_TYPE
· RFC_NAME
· ACTVT
In order to retrieve the necessary information from the SAP system's data dictionary, Weavecentrix Desktop needs to call a number of Remote Function Modules (RFMs) for which the access rights have to be granted (Authorisation Object: S_RFC, ACTVT: 16, FUGR).
The following function groups are required: RFC1, SDIFRUNTIME, SG00, SRFC, SYST, SYSU.
The person who uses Weavecentrix Desktop will normally have the required functional SAP authorisations required for work order management. In a typical SAP system, these authorisation profiles and the RFC authorisation are all that is required for Weavecentrix Desktop to communicate with SAP.
In some systems, additional authorisation profiles may be required which are outside of this scope. In this instance, it will be necessary to run an authorisation trace to identify these additional authorisation objects.
This procedure should be run by the SAP System Administrator. You need full authorisation to do this.
1. Start the application that you want to trace.
2. Call transaction ST01.
3. Choose Standard options.
4. Choose None to switch off all the trace options.
5. Choose Trace for authorisation checks.
6. In the group box Restrictions, enter any restrictions you want to apply to the trace (the standard practice is to restrict to the user).
7. Choose Accept.
8. Choose Switch, edit.
9. In the group box General management, set the write options to Trace: write to disk.
10. In the group box Status of active system choose the symbol, Activate trace.
11. Finish processing the application.
1. Call transaction ST01.
2. Choose No trace.
1. Call transaction ST01.
2. Choose Trace files as Standard.
3. Double click on the file.