SAP Note

Header Data

Symptom

This SAP note describes new switchable authorization checks for RFC function modules in application Materials Management Purchasing.

Other Terms

SACF, RFC, authorization

Reason and Prerequisites

Remote calls to RFC function modules are protected by checks on the authorization object S_RFC. Authorizations for S_RFC must be limited to the required minimum authorizations for all users to ensure system security. Many RFC function modules can be sufficiently protected using S_RFC authorization checks. These RFC function modules often do not perform additional functional authorization checks. Please see SAP note 2008727 for further information on RFC Security.

It was identified that S_RFC authorization checks might not be sufficient to ensure secure execution for RFC function modules covered by this note. Activate new switchable authorization checks and update corresponding roles if these RFC function modules are included in S_RFC authorizations in your system. 

Solution

New switchable authorization checks have been implemented. The checks are delivered inactive to ensure compatibility with your running processes. The checks can be activated in transaction SACF as described in attached manual correction instruction.

New authorization scenario(s)

The following new authorization scenarios can be maintained in transaction SACF after implementation of this SAP note.

Scenario 1: 

Templates - Document templates in Purchase Requisition / Purchase Order

You can use document templates to simplify the creation of documents by using SAP GUI transactions ME21N (PO) and/or ME51N. This feature is also used in WebDynpro application Single Processing of Purchase Requisitions (SPPR)

Affected business processes and roles

Create/Change business document Purchase Requisition and/or Purchase Order

Affected RFC function modules

TEMPLATE_UPDATE

Scenario 2: 

SAP Sourcing Integration -  Create document type, document name, document line concatenated as text into IMG text id of related PR and RFQ item

You are activating the SAP Sourcing integration in SAP ERP.

Affected business processes and roles

Create and/or Change Purchase Requisition and/or Request for Quotation

Affected RFC function modules

    2028954 - Switchable authorization checks for RFC in Application MM-PUR  

Version   2     Validity: 11.06.2014 - active   Language   English (Master)

Released On 11.06.2014 05:04:26

Release Status Released for Customer

Component MM-PUR-INT-ESO Integration ESO

EP-PCT-PUR-BP BP for Buyer

MM-PUR-PO-GUI Userinterface - Purchase Orders

MM-PUR-REQ-GUI Userinterface - Purchase Requisitions

Priority Correction with medium priority

Category Program error

Other Components

BBP_ES_PR_RFQ_UPDATE_INT

------------------------------------------------------------------------ |Manual Activity                                                       | ------------------------------------------------------------------------ |VALID FOR                                                             | |Software Component   SAP_APPL                      SAP Application   | | Release 600          SAPKH60001 - SAPKH60025                         | | Release 603          Until SAPKH60314                                | | Release 604          SAPKH60401 - SAPKH60415                         | | Release 605          Until SAPKH60512                                | | Release 606          SAPKH60601 - SAPKH60612                         | | Release 616          Until SAPKH61607                                | | Release 617          SAPKH61701 - SAPKH61704                         | ------------------------------------------------------------------------

1. Start transaction SE91 for message class MMPUR_BASE.

2. Navigate to message numbers 300 and 301.

3. Mark both entries and choose button 'Change'.

4. Enter for message number 300 the following text:

              Ext. RFC not allowed for & 1 (SAP note 2028954)

5. Enter for message number 301 the following text:

              Install note 1882417

6. Mark both messages (300 and 301) as self-explanatory.

------------------------------------------------------------------------ |Manual Activity                                                       | ------------------------------------------------------------------------ |VALID FOR                                                             | |Software Component   SAP_APPL                      SAP Application   | | Release 602          Until SAPKH60215                                | ------------------------------------------------------------------------

1. Start transaction SE91.

2. Create message class MMPUR_BASE with the following attributes:

a) Package: MMPUR_BASE

b) Short text: General message class for application MM-PUR

3. Navigate to message numbers 300 and 301 on tabstrip 'Messages'.

4. Mark both entries and choose button 'Change'.

5. Enter for message number 300 the following text:

              Ext. RFC not allowed for & 1 (SAP note 2028954)

6. Enter for message number 301 the following text:

              Install note 1882417

7. Mark both messages (300 and 301) as self-explanatory (if not defaulted).

Validity

Software Component From Rel. To Rel. And Subsequent

SAP_APPL 600 600  

602 602  

603 603  

604 604  

605 605  

606 606  

616 616  

617 617  

Correction Instructions

Support Packages & Patches

Correction Instructions

Software Component Valid from Valid to Number

SAP_APPL 600 600 1737237

SAP_APPL 602 602 1737236

SAP_APPL 603 603 1737235

SAP_APPL 604 604 1737233

SAP_APPL 605 605 1737231

SAP_APPL 606 606 1737184

SAP_APPL 616 616 1737230

SAP_APPL 617 617 1737188

Support Packages

Software Component Release Support Package

SAP_APPL 600 SAPKH60026

602 SAPKH60216

603 SAPKH60315

604 SAPKH60416

605 SAPKH60513

606 SAPKH60613

616 SAPKH61608

617 SAPKH61705