This article appeared in the Jul Aug Sep 2005 issue of SAP Insider and appears here with

■ ■

permission from the publisher, Wellesley Information Services (WIS), www.WISpubs.com.

Regular Feature
Secure the RFC
Connections in Security
Your SAP System Strategies
Landscape
Most discussion surrounding security re-examine the robust-
today tends to focus on the changing ness of your RFC.
security paradigm that goes hand in
hand with increasingly open IT architec-
Revisiting RFC
tures. And rightly so, since opening up
Security
previously closed systems makes certain
security aspects more vital than ever A Remote Function
before. Too often, though, companies Call involves calling a
fail to review existing security measures function module that
runs in a different
when making fundamental changes to Sarah Maidstone, SAP AG Frank Buchholz, SAP AG
their security infrastructure. system (server) from
the program that calls
In this article, we’ll look at the
it (client). The informa-
consequences of increasingly complex When you grant access across system
tion on how to reach the remote system —
and open system landscapes with respect boundaries, however, there is always a
including data that describes the network
to one tried and tested technology, Remote certain element of risk involved. In the
connection, and authentication data for
Function Call (RFC), SAP’s interface case of RFC, there are two primary
the RFC user — is stored in what is
protocol for cross-system communication. vulnerabilities:
known as the RFC destination. While RFCs
Many customers do not fully understand
are most commonly used between two 1. In logon data for service users stored
the risks involved in continuing to use
SAP systems, it is also possible to call in the RFC destination
RFC connections across their SAP
specially programmed functions from non-
landscapes, or how to implement a
SAP systems. This type of connectivity is 2. In the reliance on authorizations to
strong authorization concept to
generally used to replicate data — for repel any potential attack
mitigate or avoid these risks.
example, when sharing master or trans-
action data, or when SAP BI reads Depending on the type of application
✔ Note! information from other business systems in each case, you either need to configure
Specific functionality in this using RFC and then produces reports a service user for the RFC destination,
article refers to SAP NetWeaver based on that stored data. or to ensure that the appropriate user
2004 and applications based information is forwarded — and these
on it, though the basic security RFCs are also used when centralizing users have to be assigned to appropriate
principles described here apply certain system management functions — authorizations. We’ll step through these
to earlier releases as well. such as for SAP Solution Manager or processes later in the article.
Central User Administration, which take
Before changing or expanding a sweeping, cross-system approach to
your system infrastructure — for SAP data and activities. Using these The Risks of Remote System
example, if you’re considering adding applications, an administrator logs on to Connection
new SAP systems like SAP Enterprise one central SAP system but performs Let’s examine these vulnerabilities in
Portal or mySAP CRM — be sure to actions in all connected systems. more detail.

Subscribe today. Visit www.SAPinsider.com.

1. Logon Data for Service Users means that, regardless of the user’s
Stored in the RFC Destination A service user account is a technical actual identity and authorizations within
The first threat is in exposing service user master data record where the user the calling system, he or she takes on the
user data stored in the RFC destination. ID and password are stored in the identity and authorizations of the service
Consider, for example, that you need to client system. user once inside the target system. Here’s
run a report of open financial accounts where the vulnerability lies: An attacker
on a nightly basis. To run this report, could try to use the defined RFC destina-
your data warehouse needs to pull data Where service users are used, the tion to call other RFC function modules.
from your FI system automatically. logon data (user ID and password) for The authorizations granted to the service
Though there’s not a human user directly that service user is then stored in the user must block this type of attack.
keying in his or her user ID and password, RFC destination. Whenever another
So it follows that customers who
your BI system still needs to log on to program uses the RFC destination, this
choose to use service users for RFC
your FI system to access the necessary logon data is used for user authentication.
destinations should carefully limit the
data, so a “service user” logs in as a The service user’s authorizations are
authorizations granted to those service
generic BI system user. also applied in the target system. This
users. For a look at exactly what this
involves, see the sidebar, “How to
Determine the Right Authorizations:
How to Determine the Right Authorizations:
The Security Audit Log.”
The Security Audit Log
The Security Audit Log is a record of security-related system information such
as configuration changes or unsuccessful logon attempts. To determine precisely 2. Reliance on Authorizations to
which RFC-related authorizations are needed for each user, customers can activate Repel Any Potential Attack
the Security Audit Log for RFC calls (see Figure 1) in the test and production Given that most system landscapes
systems for a couple of months, and use the log results to build roles that already include firewalls and gateways
contain the right authorizations. These roles are very useful, since customers in one form or another, why do RFC
should never assign any user full authorizations for the S_RFC authorization connections still need to rely on authori-
object. The performance and storage of the Security Audit Log have been zations to repel potential attacks? In an
optimized so that it is also suitable for use in production systems. SAP landscape, any user can attempt to
create an RFC connection between any
For more information on how to activate the Security Audit Log, visit
two SAP systems, or even from his or
http://help.sap.com, click the Documentation tab, the SAP NetWeaver tab, and
her PC to an SAP system, using the
enter the SAP NetWeaver ‘04 (SPS 11) documentation. Once in the SAP Library,
RFC Software Development Kit (SDK)1.
follow this navigation path: SAP NetWeaver
Security
System Security

System Security for SAP Web AS ABAP Only
Security Audit Log (BC-SEC). For example, an end user can use
an RFC connection to retrieve reports
from the backend data system through
an Excel front end of SAP BI. In this
case, even well-configured firewall rules,
application gateway rules, and gateway
access control rules would not normally
provide any protection; if RFC connec-
tions are used at all in the landscape,
then firewalls and gateways are config-
ured to allow them through.

This is why SAP’s robust, fine-

grained authorization concept plays
such a central role — because it’s

1
The RFC Software Development Kit, or RFC SDK, is
an SAP plug-in for RFC. With RFC SDK’s Remote
Function Call API, users can remotely call ABAP
Figure 1 Security Audit Log: Configuration Setting to Analyze RFC Calls function modules from C programs, as well as receive
call requests from an ABAP program by the CALL
FUNCTION interface.

Subscribe today. Visit www.SAPinsider.com.

the job of the SAP system to do all
authorization checks, which the fire- Using RFC Trusted System Networks
wall isn’t able to perform anymore. To mitigate the risk of storing logon information in an RFC destination, it is
This means that authorizations, possible to establish a trust relationship between the calling system (system A
including those of service users if they in Figure 2) and the destination (system B). In this case, the destination accepts
are used to establish RFC connections, connections from dedicated calling systems, known as trusted systems. No
have to be configured very carefully. password is needed to access the destination from the trusted system. Since it
is also possible to map individual users and their authorizations between the
Use Authorization Objects two systems, it is therefore easy to control the user’s authorizations in the
to Secure Your Remote trusting target system. Unlike situations where service users are used, log files
Connections here will provide information about exactly which user accessed the target
Establishing a solid, secure authorization system, and what actions they performed there.
concept for RFC connections in your
enterprise involves making these three
authorization objects household names:
S_ICF, S_RFCACL, and S_RFC. To
ensure the security of your remote
connections, confirm that these objects
are all configured properly and are
being used to their full advantage:

✔ S_ICF (available in SAP Web

Application Server release 6.20
and higher)
If an SAP system wants to establish
an RFC connection to another SAP Figure 2 An RFC Trusted System Network
system, S_ICF is carried out in the
calling, or client, system to determine Using trust relationships in RFC connections, however, involves both oppor-
whether the user is allowed to call tunities and risks. In a trusted RFC relationship, the RFC destinations trust the
function modules using the RFC user management and administration of the calling system, so that users only
destination. This object could be found need to authenticate themselves once when they communicate with trusting
in the authorization profile of the user systems. If you have sound user management in place — where users are only
who is logged into the calling system. assigned rights they actually need and haven’t been given far-reaching authori-
The user can use only those RFC zations they don’t need — you can increase the level of security for your RFC
destinations that are configured in connections by doing away with the need to store passwords in the RFC desti-
the S_ICF object. nation. By performing authorization checks and producing change documents
under the user ID of the calling user in the RFC destination, customers are
✔ S_RFCACL (available from able to control and audit the RFC connections effectively.
SAP R/3 release 4.0)
Where trusted RFC is in place (see
✔ Note!
✔ Note!
sidebar “Using RFC Trusted System
AA prerequisite
prerequisite for
for successfully
successfully using
using aa trusted
trusted relationship
relationship isis that
that the
the
Networks”), S_RFCACL is used on user has
user has the
the corresponding
corresponding authorization
authorization object
object S_RFCACL
S_RFCACL in in the
the
the server, or target system, to deter- trusting server
trusting server system.
system.
mine whether the user logged on to the
client is permitted to access the server.
It is again imperative, however, that the relevant authorization objects are
properly configured and managed to prevent abuse of this trust relationship. If,
✔ S_RFC (available from
for example, you establish a trust relationship in a test system where anyone
SAP R/3 release 4.0) can create users, and most users have far-reaching authorizations, these rights
Of course, it’s not enough to restrict would be transferred to the trusting system, opening your system up to potential
access on a system level. It’s also abuse and outside attacks.
important to define which function

Subscribe today. Visit www.SAPinsider.com.

modules can be accessed remotely. This Authorization Description For Use Availability
is where the authorization object S_RFC Object When…
comes into play. S_RFC controls which
specific RFC functions in the target S_ICF Authorization check in the client You want to SAP Web
system can be executed by a service user system used to determine whether connect an AS release
or individual user. It is the most impor- the logged-on user is permitted to SAP system to 6.20 and
tant authorization object for protecting use the RFC destination to call another SAP higher
the target system because, while S_ICF function modules by RFC system
works only on the client system and S_RFCACL Authorization check in the server Trusted RFC SAP R/3
S_RFCACL is used only in the case of system used to determine whether systems are in release 4.0
trusted RFC, S_RFC is always used, the logged-on user in the client place and higher
protecting the server system at all times. system can log on to the server
To restrict access at this level, system with the desired user ID
customers need to be familiar with their S_RFC Authorization check in the server You need to SAP R/3
SAP system landscape and know what system used to determine whether determine release 4.0
RFC destinations are available within it. the user can execute the RFC which function and higher
Normally, the “service” type of user function module in the target modules can
should be used for service users, although system be accessed
the “communication” type is also possible. remotely
To determine which RFC-related author-
Figure 3 Essential Authorization Objects for Secure RFC Connections
izations are needed for each user,
customers can activate the Security
Audit Log (see sidebar back on page 82).
In addition, many J2EE applications A good place to start is by
For easy reference, Figure 3 offers a use RFC connections to access servers checking how robust the current
quick overview of these three essential in an SAP backend system. Most RFC RFC authorization concept is, using
authorization objects and their availability. destinations are available centrally in the steps we’ve outlined in this article.
the J2EE destination service. Calls can For more detailed information, see
be made both by individual users, with the presentation “Tips and Tricks for
Beyond Secure RFC
a mechanism similar to trusted RFC Setting Up an Authorization Concept to
Connections
and based on SAP Logon Tickets, and Secure the RFC Connections in an SAP
Over and above correctly configuring
by service users. In both cases, to avoid System Landscape” at SAP’s Service
the RFC connections themselves, other
errant users logging on to your systems, Marketplace (www.service.sap.com).
security issues still remain. In an SAP
it is still essential for customers to
client system, transactions and authori-
implement tight authorizations for
zation concepts are in place to ensure
S_RFC as described earlier. Sarah Maidstone has been a security product
that only the permitted users have
manager since 2002, and speaks regularly on
access to that data. But when it comes
security at SAP conferences. Sarah has seven
to external (non-SAP) programs — Conclusion
years of experience in various roles at SAP
a third-party identity management Particularly for those customers who
and holds an MA(Hons) degree in English
system, for example — they often store have been relying on RFC connections
Language and German.
data and authentication information that for some time and are gradually
corresponds to the RFC destinations. opening up their systems — for Frank Buchholz joined SAP in 1994. With a
Since anyone could use this data to example, if you’re upgrading to SAP strong focus on security, he worked in HR
log on to a system, the data must be Web Application Server 6.20 or newer quality management before participating
protected. A certain level of protection — it’s vital to review the traditional in the development of Secure Network
is normally provided by the operating security measures in place. It may be Communications and the Audit Information
system, where customers can ensure that your old standbys are no longer System. After assuming the development lead
via configuration that only the RFC strong enough, given the changing role for maintaining and improving user and
client is able to access the file. To nature of IT processes and system authorization management functions (ABAP),
control access to the registered RFC interaction. Your company information Frank joined the SAP NetWeaver Product
server programs, customers can edit the is just too important to risk to Management Security team as Security
gateway security settings. outdated security practices. Architect in the fall of 2003.

Subscribe today. Visit www.SAPinsider.com.