Beruflich Dokumente
Kultur Dokumente
function modules (RFMs) are to be exposed to the outside and assigns them to a Default Communication
Assembly that is provided by the framework together with the default configuration and default host. Only
these RFMs in thedefault CA are then able to be reached from the outside, outside access is blocked for
all the other RFMs: They can no longer be accessed from outside the system but can still be called for
system-internal scenarios such asload balancing and asynchronous scenarios.
NoteAlongside the RFC Basic scenario, you can use the Role Builder scenario to determine which
RFC authorizations are required and create appropriate user roles.
Process
Logging Phase
To achieve this protection, you must first find out which RFMs must be reachable from the
outside in the affected system.
For this you persist the RFC calls with the UCON Framework in the relevant server system
using a freely-definable time period in the logging phase. This happens without affecting
performance by the framework saving the intended part of the statistics records collected
by the system.
After the selected time period has expired, it is possible to assign all RFMs called from the
outside to the default CA or to assign all RFMs that are to be exposed by default CA
individually. However, it is possible to assign additional RFMs to the default CA or to
remove an assignment.
Evaluation Phase
After the logging phase has expired, an evaluation or simulation phase follows. The
duration of this phase can be selected individually. Here you can check without risks if
you need to expose more RFMs for the business scenarios running in the system than
those that are already in the default CA.
In this evaluation phase there are no consequences if calling an RFM does not pass the
runtime checks of Unified Connectivity. In this way you can find out which RFMs you still
need to assign to the default CA without an RFM with errors possibly blocking productive
scenarios.
Productive Phase
If the security that all required RFMs are in the default CA exists after the logging and
evaluation phase, the UCON runtime checks can be activated in a third phase
(final or productive phase). The protection of the RFC server security scenarios exists
from this point: Only the RFMs in the default CA are still reachable from the outside at
runtime. If an RFM (that is not in the default CA) is called from the outside, a runtime
error is created with corresponding error message and error logging in the system log.
Firstly, all function modules are selected on the basis of specific criteria (for example,
requirements to different Communication Assemblies (CAs) that you have created for this
purpose.
The assignment to a CA takes place on the basis of the attributes selected above.
You can then create an ABAP user role that contains the corresponding authorization
object SRFC for each CA using transaction PFCG.
Example
You have created a MyDEST destination and have defined a user for external RFC
communication in this destination.
After activating the UCON loggings you can analyze the collected data by selecting all of the
function modules that were called using the MyDest destination and assign them to a
corresponding CA.
Using transaction PFCG you then create a user role with authorization object SRFC where the
authorization is only granted for the list of selected function modules.
If you then assign this role to the user defined in the destination, an external client can only
call those function modules that are defined in the list.
Prerequisites