Ansicht
Dokumentation
RS_RFC_TTACL_UI - Access Control List for Trust Relationships (from SMT1)
CPI1466 during Backup PERFORM Short ReferenceThis documentation is copyright by SAP AG.
Purpose
SAP systems can build trust relationships to one another to minimize the need for authentication when logging on to a remote system.
If a source SAP system is known to the remote system as a calling system, no password is required for the logon.
The calling SAP system must be registered as a calling system in the target system. The target system is known as the called system.
Trust relationships can be used in destinations of type 3 (ABAP-to-ABAP RFC call) or type H (ABAP-to-ABAP HTTP request).
Access control when using trust relationships is operated at runtime using the client-specific access control list, displayed and edited in this program. Unlike the authorization S_RFCACL, which is assigned to the target users by user roles, the access rights in the access control list are linked directly to the individual target user.
Integration
This report can be called using transaction SMTACL. The initial screen shows a list of the systems trusted by the current system. When one of these systems is double-clicked (or when a system is selected and the display or change icon is clicked), the access control list of the trust relationship to this system is displayed. Another way of displaying this list is to double-click a system in the list of trusted systems in transaction SMT1 and then choose the Access Control pushbutton. The access control list in question is then displayed. The access control list for a calling system can also displayed from the display or edit functions for this system in transaction SMT1 by choosing Access Control".
Prerequisites
To be able to display and edit the access control list of a trust relationship for communication between a source system (trusted system) to the current trusting system, the trust relationship must have been created using transaction SMT1. Trust relationships are cross-client objects. When a trust relationship is deleted, the associated client-specific access control lists are deleted in all clients.
The recommended procedure for creating and activating the access control list is as follows:
1.,,Perform an initial fill of the access control list for dedicated target users. This fill operation is performed in edit mode from those entries of the authorization S_RFC_ACL where the field RFC_EQUSER is either filled with "N" or is missing. Before the list is filled, a dialog box displays the following question: "Also apply non-secure entries with generic client *?"The generated entries of the access control list are shown immediately on the Dedicated Target Users tab. All fields can be modified except for the target user. If the response to the question above is "Yes", these entries are flagged with an alert icon in the column "Evaluation" of the access control list. Caution: The entries for dedicated target users generated by the initial fill are not yet persisted in the database and must be saved explicitly in one of the following steps. For more details about initial fills, see the section Initial Fill of the Access Control List for Dedicated Target Users below.
2.,,Create the access control table identical source and target users manually in the tab Same Source and Target Users.
3.,,Entries that have an alert icon can be edited manually to make them safe. The alert icon indicates potentially unsafe entries that have the value * in "Client(From)" or "Client(To)".
4.,,Save the access control list.
5.,,Activate the access control list (and disable the authorization S_RFCACL in the current client at the same time) by selecting the radio button Authorization check for same source and target users (but access control list for dedicated target users) or the radio button Access control list check. In the latter case, the access control list is used for both identical source and target users and for dedicated target users. For more details, see the section "Changing the Access Control Method" below.
Features
Selection
Standard Variants
Output
Activities
Selecting a Trusting System
The initial screen of the program displays a list of the trusting systems, including the system ID and installation number (license number). Double-click one of these trusting systems to display its access control list for the current client.
Once a trusting system has been selected, the access control list can be edited and activated in the current client. This requires the following activities:
Changing the Access Control Method
In edit mode, one of three access control methods can be selected:
Radio button Authorization check: Access control is always performed using the authorization object S_RFCACL.
Radio button Authorization check for same source and target users (but access control list for dedicated target users): Access control is performed for identical source and target users using the authorization object S_RFCACL; access control for dedicated target users is performed using the list on the "Dedicated Target Users" tab.
Radio button Access control list: Access control is always performed using the access control list.
Note the following incompatible change in trusted logons using the access control list: The users DDIC and SAP* are not allowed as target users in trusted relationships when access control using access control lists is activated. Neither of these users can be entered as target users in the access control list (see the section Displaying/Editing the Access Control Table on the "Dedicated Target Users" Tab" below).
Displaying/Editing the Access Control Table on the "Same Source and Target Users" Tab
The entries are an allowlist that is checked at runtime. Each entry contains the following fields:
o,,User(From) and User(To): User in the calling system (lower and upper limits can be specified; the wild card * is supported).
o,,Client(From) and Client(To): Client in the calling system (lower and upper limits can be specified; the wild card * is supported).
o,,TCode(From) and TCode(To): Transaction code in the calling system (lower and upper limits can be specified; the wild card * is supported).
o,,Evaluation: Non-secure ACL entries (those with the generic entry * in the field Client(From) or Client(To)) have an alert icon as an evaluation icon in this field. However, it is still possible to use unsafe entries.
Displaying/Editing the Access Control Table on the "Dedicated Target Users" Tab
The entries are an allowlist that is checked at runtime. Each entry contains the following fields:
o,,Target user: Logon user in the target system of the RFC call or HTTP request. The users DDIC and SAP* are not valid target users.
o,,User(From) and User(To): User in the calling system (lower and upper limits can be specified; the wild card * is supported).
o,,Client(From) and Client(To): Client in the calling system (lower and upper limits can be specified; the wild card * is supported).
o,,TCode(From) and TCode(To): Transaction code in the calling system (lower and upper limits can be specified; the wild card * is supported).
o,,Evaluation: Non-secure ACL entries (those with the generic entry * in the field Client(From) or Client(To)) have an alert icon as an evaluation icon in this field. However, it is still possible to use unsafe entries.
Displaying/Editing the Access Control Table on the "Security Check for Same Source and Target Users" Tab
Here, the entries from the access control list are selected for identical source and target users (display and edit) that have an alert icon (non-secure entry) in the "Evaluation" field. Once the entry has been corrected, a checked icon (a green checkmark) is displayed until the entry is saved. Once saved, the entry is removed from the table (if secure).
Displaying/Editing the Access Control Table on the "Security Check for Dedicated Target Users" Tab
Here, the entries from the access control list are selected for dedicated target users (display and edit) that have an alert icon (non-secure entry) in the "Evaluation" field. Once the entry has been corrected, a checked icon (a green checkmark) is displayed until the entry is saved. Once saved, the entry is removed from the table (if secure).
Deleting the Access Control Table
In the current client, all entries from the access control table for the displayed target system (specified by SYSID and installation number) are deleted, both for identical source and target users and for dedicated target users.
Performing an Initial Fill of the Access Control List for Dedicated Target Users
The access control table for the displayed system (SYSID, installation number, and client) are filled from the existing S_RFCACL authorizations, subject to the following rules and exceptions:
o,,Entries for the target users DDIC and SAP* are not included.
o,,Only entries with RFC_EQUSER = 'N' or with no values in the field RFC_EQUSER are applied.
o,,Before the access control list is filled, a prompt appears asking whether authorizations with the value "*" in the lower and upper limit of the authorization field RFC_CLIENT are also to be updated.
o,,Before the access control list of the system in question (SYSID, installation number, and target client) is filled with initial data, it is checked to see whether it is empty. If the list is not empty, a dialog box informs the user that it can be filled with initial data only if it is empty.
Cross-Client Alert Display
By choosing "Cross-Client Alert Display", the user displays an overview of all access control entries in the current target system that have an alert icon in the "Evaluation" field. This overview covers all source systems and all target clients.
Client Switch
By choosing "Client Switch" in the overview of trust relationships, the user displays a logon window for a different client in the same system.
Example
CL_GUI_FRONTEND_SERVICES - Frontend Services Fill RESBD Structure from EBP Component Structure
This documentation is copyright by SAP AG.
Length: 10955 Date: 20240520 Time: 134113 sap01-206 ( 233 ms )
