What minimum permissions/access rights does a SAP user need to be able to make RFC calls using JCo?

Question

I'm trying to call a SAP function RFC_SYSTEM_INFO from Java application. I am using JCo 3.0 for that. I'm using the example code provided from JCo documentation.

I get an exception

Caused by: RfcException: [IA1|CZVBIIN101] 
message: No RFC authorization for function module DDIF_FIELDINFO_GET. 
Return code: RFC_SYS_EXCEPTION(3) 
error group: 104 
key: RFC_ERROR_SYSTEM_FAILURE 
message class: 00 
message type: X 
message number: 341 
message parameter 0: RFC_NO_AUTHORITY 

According to my colleague who was looking in the SAP log (I know nothing about SAP, he knows), before calling the function RFC_SYSTEM_INFO, JCo makes about 7 calls, some of which require the "developer's permissions". So, what we don't understand is why we would need developer's permissions for such a simple call? Why does JCo make so many calls instead of making only one call?

For example, I don't understand why we need to call the function module DDIF_FIELDINFO_GET? I just want to call RFC_SYSTEM_INFO, not DDIF_FIELDINFO_GET. Is it possible to call RFC_SYSTEM_INFO without calling RFC_SYSTEM_INFO?

What are the minimum access rights the user should have to be able to make RFC calls?

Answer 1

There is a specific authorisation object for RFC call.

In your role you add the object S_RFC (RFC calls auth. check) in the class AAAB (auth. object, all applications). You fill it with object 'FUGR' and the set of function group that you want to use (as always, '*' is possible but not recommanded)

This limit the RFC function call that you user can perform to the list you defined.

also, as niccolo said, the function module you call must be RFC enabled.

Also, an abbaper may also use the ST01 transaction to get a system trace on the authorizations check of your user for RFC calls, and get the list of function module you need.

Answer 2

It's all in the documentation. :-)

The Java connector needs some basic permissions to read the metadata of the function module - otherwise it wouldn't know how to encode and decode the data for this specific backend system. DDIF_FIELDINFO_GET is a part of that process.

(One has to keep in mind that besides the release-dependent changes, many structures can be extended or modified, so even if you're calling the same function module in different systems, there's no guarantee that the structures will be exactly the same.)

Answer 3

Since SAP has removed the SAP documentation referred to in the answer by vwegert, adding the available info scattered through "archive.sap.com" answering this question.

The reference JCO user to check for the required role is SAPJCF. The closes role that seems to work for many is SAP_BC_JSF_COMMUNICATION. The user should also not have dialog authorization.

References:

https://archive.sap.com/discussions/thread/631020 https://archive.sap.com/discussions/thread/375125

Answer 4

Behind the scenes, SAP makes several calls within one RFC call. In addition, SAP makes security calls to ensure you have the rights to invoke what you're invoking. It does this for any function module call, not just RFC ones.

I don't know what DDIF_FIELDINFO_GET does in particular - it may be one of the calls SAP makes to satisfy your overall call RFC_SYSTEM_INFO.

In addition, to be eligible to be called as part of an RFC, the SAP function module has to be "remote enabled" (that may be in SE37 but don't quote me on that).

Answer 5

SAP has documented the required minimum RFC user authorizations for several usage scenarios in detail in the following note:

• 460089 - Minimum authorization profile for external RFC programs