Friday, 10 May 2024

Create trusted RFC with specific technical user

As the SAP Basis administrator, we understand how to set up a trusted RFC connection between ABAP systems. This allows us to connect to the target system using our current user credentials, without needing to input them again, as shown in the screenshot. I hope this blog post finds you in good health. If you have any questions or concerns, please don't hesitate to reach out to me.

Create trusted RFC with specific technical user

But what if we want to use a specific technical user and still want to benefit from trusted RFC? Actually, we can do it with the same method and I will show you how in this blog post.

First of all, since we need to create the trusted RFC, we need to establish the trusted relationship between systems through transaction code SMT1. In the scope of this blog, I’ll assume that we need to define the trust between system AA and BB.

1. Go to SMT1 Tcode on AA, and click the “Create” button to start the process.

Create trusted RFC with specific technical user

2. Click “Continue”.

Create trusted RFC with specific technical user

3. On the next screen, we need to provide the information about the target server and login information. It'll create a new RFC on the target server called "TRUSTING@<SID>xxxxxxxx".

Create trusted RFC with specific technical user

4. On the following screens, just click on “Continue” and “Finish” on the final screen.

Create trusted RFC with specific technical user

Create trusted RFC with specific technical user

Create trusted RFC with specific technical user

5. Now, it’s finished on the first system AA and you need to do the same steps on the second system BB.

Next, we need to make sure that the technical user on the source system has enough authorizations to allow the trusted call from the source system.

For that purpose, the user role needs to have the authorization object S_RFCACL. Below is the description of its field.

  • ACTVT: always 16. It’s the only value we can specify.
  • RFC_CLIENT: In this field, we can specify which client we allow to make the trusted connection. For example: the AA system has 3 clients 001, 002, and 003, but if we want to grant the trusted connection from client 002 only, then we need to specify here the value 002. The connection from clients 001 and 003 will be rejected.
  • RFC_EQUSER: This is the important field for making trusted RFCs with another user. In this case, we want to connect with a specific technical user, therefore we set it to value “N”.
  • RFC_INFO: the installation number of the calling system. We can set it to ‘*’, then the role can be used by multiple source systems, or you can specify here the list of installation numbers that allow you to create a trusted connection.
  • RFC_SYSID: SID of the calling system.
  • RFC_TCODE: Calling transaction code.
  • RFC_USER: ID of the calling user.

After finishing the role creation, please make sure that the role will be assigned to the technical user on the called system.

We have come to the final step. For details on creating the RFC in SM59, please refer to the SAP help documentation. In this blog, I’ll focus only on trusted RFC settings.

After specifying the target hostname and SID, go to the Logon & Security tab and set the Trust Relationship to “Yes”.

Now, instead of setting the checkbox at “Current User”, we will leave it blank and give the information about the technical user from the called system. Of course, the password is no longer necessary because we’re creating a trusted connection.

Create trusted RFC with specific technical user

Save the connection and execute “Authorization Check”.

Create trusted RFC with specific technical user

At this point, if you log in to the called system and go to TCode SM59. Then you will see the connection from the calling system but from that technical user, not ours.

Create trusted RFC with specific technical user

No comments:

Post a Comment