On the basis of specially prepared RFC statistics records, an administrator decides which remote-enabled

function modules (RFMs) are to be exposed to the outside and assigns them to a Default Communication
Assembly that is provided by the framework together with the default configuration and default host. Only
these RFMs in thedefault CA are then able to be reached from the outside, outside access is blocked for
all the other RFMs: They can no longer be accessed from outside the system but can still be called for
system-internal scenarios such asload balancing and asynchronous scenarios.
NoteAlongside the RFC Basic scenario, you can use the Role Builder scenario to determine which
RFC authorizations are required and create appropriate user roles.

Process

Logging Phase

To achieve this protection, you must first find out which RFMs must be reachable from the
outside in the affected system.
For this you persist the RFC calls with the UCON Framework in the relevant server system
using a freely-definable time period in the logging phase. This happens without affecting
performance by the framework saving the intended part of the statistics records collected
by the system.
After the selected time period has expired, it is possible to assign all RFMs called from the
outside to the default CA or to assign all RFMs that are to be exposed by default CA
individually. However, it is possible to assign additional RFMs to the default CA or to
remove an assignment.
Evaluation Phase

After the logging phase has expired, an evaluation or simulation phase follows. The
duration of this phase can be selected individually. Here you can check without risks if
you need to expose more RFMs for the business scenarios running in the system than
those that are already in the default CA.
In this evaluation phase there are no consequences if calling an RFM does not pass the
runtime checks of Unified Connectivity. In this way you can find out which RFMs you still
need to assign to the default CA without an RFM with errors possibly blocking productive
scenarios.
Productive Phase
If the security that all required RFMs are in the default CA exists after the logging and
evaluation phase, the UCON runtime checks can be activated in a third phase
(final or productive phase). The protection of the RFC server security scenarios exists
from this point: Only the RFMs in the default CA are still reachable from the outside at
runtime. If an RFM (that is not in the default CA) is called from the outside, a runtime
error is created with corresponding error message and error logging in the system log.

Role Builder Scenario: Process

Analyze the required RFC notifications and create the relevant user roles.
Process

Firstly, all function modules are selected on the basis of specific criteria (for example,

destination used, client to be run, users to be run on the server side).

In the next step you can assign function modules with the same authorization

requirements to different Communication Assemblies (CAs) that you have created for this
purpose.
The assignment to a CA takes place on the basis of the attributes selected above.
You can then create an ABAP user role that contains the corresponding authorization
object SRFC for each CA using transaction PFCG.

Example
You have created a MyDEST destination and have defined a user for external RFC
communication in this destination.
After activating the UCON loggings you can analyze the collected data by selecting all of the
function modules that were called using the MyDest destination and assign them to a
corresponding CA.
Using transaction PFCG you then create a user role with authorization object SRFC where the
authorization is only granted for the list of selected function modules.
If you then assign this role to the user defined in the destination, an external client can only
call those function modules that are defined in the list.

UCON CCMS Monitoring: Functions

Detailed information for monitoring UCON processes in the CCMS Monitor (transaction
RZ20).
In the following section you find a detailed description of the functions of the UCON CCMS
Monitoring that are available in the central CCMS Monitor (transaction RZ20). The individual
monitoring functions are shown in the following navigation nodes:

Prerequisites

Worklist for UCON Phase Tool

Transport Status of Phase Assignments

Status of Runtime and Design Time

Status of Batch Jobs