Downtime Announcement: Please note the SAP Community Wiki will be unavailable due to a system upgrade on Thursday, September 24th between 6 and 7 AM CEST
Skip to end of metadata
Go to start of metadata

Did you ever have struggled to analyze RFC calls using transaction ST03N for building authorizations for authorization object S_RFC because you have missed information about the function groups or you have wanted to filter the result by user group or user type?

Well, in this case you might love this small Report ZRFC_STATRECS_SUMMARY   which reads the Workload Statistics about RFC calls and shows the called RFC functions, function groups and user attributes in a simple-to-use grid format.

By the way: There exist a similar report ZTCODE_STATRECS_SUMMARY to analyze transaction calls and authorizations for S_TCODE. (For release 4.6C use the downported version of the report ZTCODE_STATRECS_SUMMARY_46C )

Standard transaction STRFCTRACE can replace the Z-report described in this blog (see note 2080378).

Features

  • Read daily, weekly or monthly Workload Statistics about RFC calls and filter records by user, user type, user group, RFC destination, RFC function or function group.
  • You can use the standard sorting and filtering functions of the grid control. In addition you can copy the data or export it to a flat file.
  • Show called RFC functions or used RFC destinations.
  • Show authorizations of remote users concerning authorization object S_RFC and verify used and unused authorizations. You can identify missing authorizations as well as undesirable full authorizations.

Limitation: This report works as of SAP_BASIS release 7.00.

As preparation you should verify the profile parameter  stat/rfcrec . This profile parameter defines how many RFC function modules per RFC connection will be recorded. I recommend to raise the value from default value 5 to a higher value. Otherwise it may happen that you miss some calls.

By default, the monthly aggregates are kept for 2 month. I suggest to increase the data retention time to 6 (or even 12 month) using transaction ST03N -> Collector and Performance DB -> Performance Database -> Workload Collector Database -> Control -> Increase value of total  monthly aggregates for profiles WO WP WQ WR. 

 

Data options

Data Option "CL: Show RFC functions executed by RFC client"

These records show outgoing calls including calling users, destinations and called functions.
Get the Workload Statistics about "RFC Client" (CL) to analyze which programs initiate outgoing RFC calls. To show the caller copy the RFC function name, navigate to the calling program (double click on program name) and search for the RFC function name globally in the program.

User fields:
MANDT, ACCOUNT: calling user in RFC client (local system)
USERID: called user in RFC server
RFC_CALLER: empty
RFCUSER: called user in RFC server (as defined in RFC dest. or "<same user>")

Data Option "SV: Show RFC functions executing in RFC server (and show RFC authorizations)"

These records show incoming calls including users, destinations and called functions and function groups.
You use these records to optimize authorizations for S_RFC on the called system.

Get the Workload Statistics about "RFC Server" (SV) to analyze which authorizations for S_RFC are required for RFC system users or dialog users in a system.
Tipp: Select "RFC Server", sort result by user type (or user group) and by function group (or function name) and activate subtotals, hide all other fields, show subtotals only via Settings -> Define totals drilldown

User fields:
MANDT, ACCOUNT: called user in RFC server (local system)
USERID: called user in RFC server (local system)
RFC_CALLER: called user in RFC server (local system)
RFCUSER: empty

Data Option "CLD: Show RFC destinations called by RFC client"

These records show outgoing calls including calling users and destinations. You can show unused destinations, too.
You use these records to search for unused destinations which you can delete or for used destinations which you want to secure using the authorization object S_ICF on the calling system.
Get the Workload Statistics about "RFC Client Destination" (CLD) to analyze which RFC destinations have been used respective not used for outgoing RFC connections. You may want to delete or deactivate unused RFC destinations, especially if these contain authentication data for service users (see report RSRFCCHK and have a look to SAP Note 1646124 from November 2011 which describes the extension for checking http destinations (type G), too).
Tipp: Select "RFC Client Destinations" and "show unused destinations, too", filter result by task type "NOT USED" (or #Calls = 0), sort by connection type, hide other fields

User fields:
MANDT, ACCOUNT: calling user in RFC client (local system)
USERID: called user in RFC server
RFC_CALLER: empty
RFCUSER: called user in RFC server (as defined in RFC dest. or "<same user>")

Data Option "SVD: Show RFC destinations calling into RFC server"

These records show incoming calls including users and destinations.

User fields:
MANDT, ACCOUNT: called user in RFC server (local system)
USERID: called user in RFC server (local system)
RFC_CALLER: called user in RFC server (local system)
RFCUSER: empty

Selection Screen

Result for data option "RFC Server" (SV)

In this example we see several special results:

  • User SM_M37 in client 001 has mostly well defined authorizations, except for missing authorizations for function group SGWY which is marked yellow.
  • User SM_M37 in client 066 does not exist anymore, therefore we don't see any analysis of the authorizations
  • User SOLMAN_ADMIN in client 001 has full authorizations for authorization object S_RFC (in addition to some specific authorizations), therefore the authorizations are marked as critical. 

Within column "Authorizations for S_RFC" you can filter for entries showing an icon:
Filter for @* to find all entries showing an icon
Filter for   (03) * to find entries showing mssing authorizations
Filter for   (8N) * to find entries showing full authorizations

Result for data option "RFC Client Destination" (CLD)

Result for Summary

You can use the standard ALV functions to change the layout of the result. Here is an example showing user information and function information of a RFC server system which you easily can use to define authorizations for S_RFC.

How-to define a layout showing the summary:

1. Execute the report

2. Hide all columns keeping following fields in this order:
Client
Account
Function group
Function
# Calls

3. Sort by
Client
Account
Function group
Function

4. Activate sub-totals for column Function

5. Activate option Display -> Display total lines above the entries (optional)

6. Save the layout

7. Collapse selection in total line (you cannot save this settings)

Authorization analysis

Within the view "RFC Server" (SV) you can double click on a user account to show the authorizations of this user concerning authorization object S_RFC. The authorizations for function groups (RFC_TYPE = FUGR) and for functions (RFC_TYPE = FUNC) are listed together with the count of calls which are granted by an authorization value. You can use this view to identify authorizations which are not used at all.

Download

Report ZRFC_STATRECS_SUMMARY
Report ZTCODE_STATRECS_SUMMARY
Report ZTCODE_STATRECS_SUMMARY_46C


Schönen Gruß / Kind regards
Frank Buchholz
SAP CoE Security Services

7 Comments

  1. Unknown User (h0hr956)

    Hello Frank,

    Thanks. We are working on a customer requirement to optimize the RFC authorizations and this seems to be a very useful report for analyzing RFC destinations. We would like to seek one clarification. What is the difference between the reports CL: Show RFC functions executed by RFC client and CLD: Show RFC destinations called by RFC client except for unused RFC destinations? and what is the difference between the reports SV: Show RFC functions executing in RFC server (and show RFC authorizations) and SVD: Show RFC destinations calling into RFC server?

    Regards,

    Subramaniam Iyer

  2. Former Member

    Hello Frank,

    i have a question for you due to "SV: Show RFC functions executing in RFC server" selection. If i run this i assume that in the field target the RFC-Destination is mention. But the user in the field account don't match to the user which is stored in the RFC-Destination in SM59.

    Can you explain me this problem.

    Regards,

    Bernhard  

     

  3. SV = We see the RFC function calls which are executed here in the RFC server system.

    Observation of a test run in a demo system:

    The fields "Client in local system" and "Account in local system" show which user executes the RFC function here in the RFC server system. This should be the client and user which is defined in the RFC destination "Target" in the calling RFC client system. (The field "Userid" seems to be the same like "Account in local system" and field "RFC Caller" is.  We should see the user in the RFC client system which has triggered the RFC call.)

    Now you tell that "Client in local system" and "Account in local system" do not match to the definition of the RFC destination "Target" in the calling RFC client system. Correct?

    Let's assume that you talk about a RFC destination with defined user (and not about a login-destination or a destination with trusted-RFC-same-user).

    Well, then I've no explanation for your result ...

    The Z-report simply shows what you can see in transaction ST03N, therefore I suggest the following: Check the result in ST03N and if the is a mismatch, too, raise a ticket BC-CCM-MON. On the other hand, if ST03N shows expected data, tell me that I can search for a bug in the Z-report. 

    Kind regards
    Frank Buchholz

    P.S. Standard transaction STRFCTRACE can replace the Z-report described in this blog (see note 2080378).

     

  4. Former Member

    Thanks for the answer.

    Yes i am talking about a RFC-Dest. with stored user and password.

    I check the "RFC Client Profil" for the month and the called function module showen in you Z-report and ST03N i see the same data.

    Kind regards,

    Bernhard

     

     

    1. The RFC client calls the RFC server.
      CL = RFC Client Profile = outgoing RFC calls
      SV = RFC Server Profile = incoming RFC calls

      In case of CL you see the current user, who triggers an RFC call, in field "Account in local system" and you should see the called user of the in field "Userid" and field "RFC User".

      Kind regards
      Frank Buchholz

       

       

  5. The download links are no longer working.

    1. Just Search for the "ZTCODE_STATRECS_SUMMARY" and "ZRFC_STATRECS_SUMMARY" via Google and it wil link Directly to the SAP-Wiki Location :

      Regards

      Nic T.