|
SAP Community Network Forums
»
SAP Solutions
»
Customer Relationship Management (CRM) - General & Framework
Thread: CRMD_MKTDS and creating a datasource - which RFC user should be used?
 |
This question is answered.
|
|
Replies:
4
-
Pages:
1
-
Last Post:
Nov 6, 2009 8:05 PM
Last Post By: Julius Bussche
|
|
|
|
|
|
|
CRMD_MKTDS and creating a datasource - which RFC user should be used?
Posted:
Oct 15, 2009 12:01 PM
|
|
|
|
Hi
Our developers are using CRM transaction CRMD_MKTDS and clicking on create data souce, and setting Origin Type to Business Intelligence Cube. They then need to enter an RFC destination in order to connect to the BI system and fill the BW Report field.
If they enter BIDCLNT100 then this produces errors as the user specified in this RFC connection is NOT a dialog or service user.
If they enter BIDCLNT100_DIALOG they can connect, however, no username or password is specified in this RFC so it prompts for a login to the BI system.
This is fine in principle - if the user logs in with their BI ID then this works okay - however, they complained saying that they shouldn't have to enter their details.
We did set the BIDCLNT100 to use a user that was a dialog user, which solves the problem, but security advised that this was not wise as this user has SAP_ALL and bypasses security checks.
Someone suggested we could use SSO. How would this work? Would we still use the RFC BIDCLNT100_DIALOG?
I exported the .crt file from our CRM system and imported it to the BID system and added to the ACL - this doesn't appear to have helped though...
How has everyone else got this configured?
Regards
|
|
|
|
|
|
Re: CRMD_MKTDS and creating a datasource - which RFC user should be used?
Posted:
Oct 15, 2009 9:49 PM
in response to: Ross Armstrong
|
|
|
|
If you are forced into using a type 3 ABAP RFC connection, then another option is to use trusted RFC and the current user setting.
But you need to do this very carefully, otherwise it can be misused. Basically, the logon credentials are authorizations for a special object in the target system. If you get it wrong, then everyone can logon as everyone else... without a password.
There are other options such as SAPLogonTickets, Client certificate SSO, SAML, etc, which are generally more secure, but trusted RFC is the easiest and cheapest way to implement it.
Cheers,
Julius
|
|
|
|
|
|
Re: CRMD_MKTDS and creating a datasource - which RFC user should be used?
Posted:
Oct 15, 2009 9:52 PM
in response to: Ross Armstrong
|
|
|
If they enter BIDCLNT100_DIALOG they can connect, however, no username or password is specified in this RFC so it prompts for a login to the BI system.
You might also want to weigh the security costs against the laziness... :-) |
|
|
|
|
|
Re: CRMD_MKTDS and creating a datasource - which RFC user should be used?
Posted:
Nov 6, 2009 4:51 PM
in response to: Julius Bussche
|
|
|
|
Thanks, we used the trusted RFC connection - this was already being used for another issue and a security role had been created to assist, so we used this for this issue to and assigned the relevant role to the users who needed to use it.
Cheers
Ross
|
|
|
|
|
|
Re: CRMD_MKTDS and creating a datasource - which RFC user should be used?
Posted:
Nov 6, 2009 8:05 PM
in response to: Ross Armstrong
|
|
|
|
Take note in this case that the authentication and calling user's context (!) and application to be started is controlled via the authorizations of the user in the trusting target system.
So, using the same existing S_RFCACL role to enable this new process should ideally have both applications being reasonably similar in nature (and possibly in names as well), however you mention they are different users...
If there was a *, *, *, * ... type of S_RFCACL role already there, then I personally (knowing the consequences...) would not like to have it assigned to my user ID. You do have a little bit of application layer to work with in the trusted system, but it is not much.
Take a look at the documentation in SU21 and SAP Note 128447 for more infos.
Cheers,
Julius
|
|
|
|
|
