Hi All,
As we know that S_RFCACL (Authorization Check for RFC User (e.g. Trusted System)) is required for having access to the trusted systems.
In most of our roles for this authorization Object we have maintained the * value for the following fields:-
RFC_SYSID
RFC_TCODE
This has been made as an observation by the auditors as having this critical access with the users.
But my question is how can it be the critical access when the user should have id's in both the systems(trusted and trusting) to login to the called system.
Also even if the user logs into the called system he will only be able to execute the list activities/t-codes that he is authorized to in that system, it will override the * value maintained in RFC_TCODE.
What possibly could be the risk from this authorization object ?
Regards,
Parichay