Since Release 3.1G you have been able to run RFC authorization checks based on the (called) function group.
If the instance profile parameter 'auth/rfc_authority_check' is set to 1, the system automatically runs an RFC check. The authorization check refers to the function group of the function module to be called. If no authorization exists, this leads to runtime error RFC_NO_AUTHORITY. If the RFC communication takes place within one system and in the same user context, i.e., the same client and user identification, no RFC authorization check is performed.
You can first check the authorization using function module AUTHORITY_CHECK_RFC. The system runs the RFC authorization check each time you access the called function module using RFC (the system checks the corresponding function module groups).
The authorization is checked using authorization object S_RFC.
This authorization object contains the following three fields:
In addition, from Release 4.0 you can also set up a trusted relationship between systems (see also documentation on Trusted/Trusting Systems). This sets up a trusted relationship between the calling and the called systems, whereby this relationship is initiated by the called system. In the called system you must then specify the users in the calling system who may execute Remote Function Calls over this type of trusted relationship (trusted users). Additionally you must assign the trusted users with trusted profiles (authorization object S_RFCACL) in the called system.
This authorization contains the following fields:
Using this, you can specify exactly which users may call remote function modules using other user IDs.
Note : The authorization check based on the function groups (authorization object S_RFC) takes place independently of the authorization checks within the trusted systems.