Tip: How To Analyze Missing RFC Authorization Objects with CCo

Hello community,

to create a user ID with the correct (minimal) rights to call an RFC function modul you can use CCo and the following method.

1. Create a new user ID with the TAC SU01, e.g. ZRFCTEST, with the user type Communication and don’t set any role assignments.
   
   
2. Try a simple connect with the following script:
   
   '-Begin-----------------------------------------------------------------
   
     '-Directives----------------------------------------------------------
       Option Explicit
   
     '-Variables-----------------------------------------------------------
       Dim SAP, hRFC, rc
   
     '-Main----------------------------------------------------------------
      Set SAP = CreateObject("COMNWRFC")
      If IsObject(SAP) Then
       hRFC = SAP.RfcOpenConnection("ASHOST=ABAP, SYSNR=00, " & _
         "CLIENT=000, USER=ZRFCTEST, PASSWD=minisap")
       If hRFC Then
         MsgBox "Check connection with TAC SMGW in the SAP system"
         rc = SAP.RfcCloseConnection(hRFC)
       End If
       Set SAP = Nothing
     End If
   
   '-End-------------------------------------------------------------------
   
   
3. Now, when you execute the script, you get the following error message:
   Image may be NSFW.
   Clik here to view.
   Also you can find more information with the TAC ST22.
   
   Image may be NSFW.
   Clik here to view.
   
4. Now create with the TAC PFCG a new role, e.g. ZRFCTEST, and maintain the authorization data. Add manually the authorization object S_RFC.
   
   Image may be NSFW.
   Clik here to view.
   
5. Add the activity execute (16) with the type function group and the name SYST, as you see in the error message.
   
   Image may be NSFW.
   Clik here to view.
   
6. Generate the role and add user ID in the user tab. Now you see the role in the role tab of TAC SU01.
   Image may be NSFW.
   Clik here to view.
   
7. Now all should work as expected.
   
   Image may be NSFW.
   Clik here to view.
   

With this method you have the possibility to analyze missing S_RFC authorization objects with your script step by step and to create therewith a user with the correct (minimal) authorization objects. As you can see from this example a simple RfcOpenConnection needs the S_RFC authorization object with activity execute and the function group SYST.

Hint: In newer SAP releases you have also the possibility to name the function module.

Image may be NSFW.
Clik here to view.

Enjoy it.

Cheers

Stefan