Skip to main content

Overview

Bravura Security Fabric uses the RFC mechanism in the SAP client GUI to invoke built-in functions on the SAP server. SAP versions 4.5 or higher include all of the remote function calls (RFCs) required by Bravura Security Fabric to manage accounts and/or passwords on the system. No new functions, and in fact no new software at all, are installed on the SAP server.

Ensure that these functions are all available for the target administrator credential in order for the connector operations to be successful and that they are configured as listed in Configuring a target system administrator. Contact Bravura Security support if your SAP administrator would like to reduce access for the target administrator credential.

Note that earlier versions of SAP may not include all of the required RFCs or operations. If you have an earlier version of SAP, contact Bravura Security support for assistance.

Bravura Security Fabric uses the following calls to carry out connector operations:

  • BAPI_USER_GET_DETAIL

  • BAPI_USER_CREATE

  • BAPI_USER_ACTGROUPS_ASSIGN

  • BAPI_USER_PROFILES_ASSIGN

  • BAPI_USER_CHANGE

  • BAPI_USER_LOCK

  • BAPI_USER_UNLOCK

  • BAPI_USER_DELETE

  • BAPI_USER_GETLIST

  • RFC_GET_TABLE_ENTRIES

  • BAPI_HELPVALUES_GET

Note that RFC_GET_TABLE_ENTRIES does not function correctly on systems that have applied the Unicode patch. On newer Unicode systems, most of the functionality provided by RFC_GET_TABLE_ENTRIES can be replaced by:

  • BAPI_USER_GET_DETAILS

  • BAPI_USER_CHANGE

  • BAPI_USER_GETLIST

Not all functionality can be replaced by these function calls, missing functionality includes: user status and last login date.

RFC_GET_TABLE_ENTRIES return 2 and RFC_EXCEPTION: INTERNAL_ERROR errors indicate incorrect use of this function.

The following subsections detail the RFC functions used to implement some Bravura Security Fabric functions:

Verifying passwords

When Bravura Security Fabric needs to verify a user’s current password, it simply tries to connect to the SAP server using RFC. The password is assumed to be correct if the connection succeeds or if the connection fails but the error indicates that the user does not have RFC access. All other conditions are assumed to indicate an invalid password. The exact steps are:

  1. Connect to the SAP server using RFC with the user’s login ID and password.

  2. The result status tells Bravura Security Fabric if the password was good or bad.

  3. Disconnect.

Changing passwords

When Bravura Security Fabric changes a SAP password on behalf of a user who knows his current password, it uses RFC as follows:

  1. Connect to the SAP server (hostname, system number, and client number) using RFC with the user’s login ID and password.

  2. The result status tells Bravura Security Fabric if the password was good or bad.

  3. Disconnect.

  4. If the password was bad, terminate the process.

  5. If the password was valid, use the ’Resetting passwords’ process described below to set a new password value.

Resetting passwords

To administratively reset a user’s password to a new value, Bravura Security Fabric uses the following steps:

Log the user in:

  1. Connect to the SAP server with RFC, using the administrator ID and password that has been configured.

  2. Call the BAPI_USER_CHANGE RFC and invoke the PASSWORDX operation to reset the user’s password.

  3. Call the BAPI_USER_CHANGE RFC and invoke the LOGONDATA operation to set the user’s last logon time.

  4. Log the user in to set the new password.

  5. The result status tells Bravura Security Fabric if the password reset was successful.

  6. Disconnect.

Set the LTIME field:

  1. Connect to the SAP server with RFC, using the administrator ID and password that has been configured.

  2. Call the BAPI_USER_CHANGE RFC and invoke the PASSWORDX operation to reset the user’s password.

  3. Call the BAPI_USER_CHANGE RFC and invoke the LOGONDATA operation to set the user’s last logon time.

  4. The result status tells Bravura Security Fabric if the password reset was successful.

  5. Disconnect.

Use the SUSR_USER_CHANGE_PASSWORD_RFC procedure:

  1. Connect to the SAP server with RFC, using the administrator ID and password that has been configured.

  2. Call the BAPI_USER_CHANGE RFC and invoke the PASSWORDX operation to reset the user’s password.

  3. Call the SUSR_USER_CHANGE_PASSWORD_RFC to change the user’s password.

  4. The result status tells Bravura Security Fabric if the password reset was successful.

  5. Disconnect.

Set the PRODUCTIVE_PWD flag in BAPI_USER_CHANGE:

  1. Connect to the SAP server with RFC, using the administrator ID and password that has been configured.

  2. Call the BAPI_USER_CHANGE RFC to set the flag PRODUCTIVE_PWD and invoke the PASSWORDX operation to reset the user’s password.

  3. Call the BAPI_USER_CHANGE RFC and invoke the logondata operation to set the user’s last logon time.

  4. The result status tells Bravura Security Fabric if the password reset was successful.

  5. Disconnect.

Do not make the password productive:

  1. Connect to the SAP server with RFC, using the administrator ID and password that has been configured.

  2. Call the BAPI_USER_CHANGE RFC and invoke the PASSWORDX operation to reset the user’s password.

  3. The result status tells Bravura Security Fabric if the password reset was successful.

  4. Disconnect.

  5. User will be prompted to manually enter new password upon next login.

Listing users

Nightly, the Bravura Security Fabric server extracts a list of users from every system, including SAP. This list is used to automatically update user profiles so that users are presented with a list of systems where they have a login account rather than every system on the network.

For SAP versions 6.4 and above use BAPI_USER_GETLIST to retrieve the list of users. For earlier versions of SAP, execute RFC_GET_TABLE_ENTRIES on table V_USR_NAME.

Selection ranges

You can filter which users will be listed from the SAP server by using selection ranges. Selection ranges are based on the Select-Options keyword in SAP ABAP.

You can define one or more selection ranges, using a list or a KVG file. This option can be configured in Target System Options .

Selection ranges are defined using the following format:

 parameter|field|sign|option|low|high

Examples:

  • Exclude listing of locked-out user accounts:

    ISLOCKED|NO|USER_PW|E|EQ|L|

  • exclude listing of super users:

    LOGONDATA|CLASS|I|NE|SUPER|

  • Include listing of users with user type ’A’:

    LOGONDATA|USTYP|I|EQ|A|

If using a file, it should be in the proper KVG format:

# KVGROUP-V2.0
listuserselectionrange = {
  "filter1";
  "filter2";
  ...etc.
}

Refer to the SAP documentation for more information regarding ABAP Select-Options.

Other Bravura Security Fabric functions

The following list details how other Bravura Security Fabric functions are carried out.

  • check account enable Look at the status bitfield of the UFLAG column of the USR02 table. If the Unicode patch is in place, this will not function correctly.

  • enable account Call BAPI_USER_LOCK.

  • disable account Call BAPI_USER_UNLOCK.

  • unlock account Call BAPI_USER_UNLOCK.

  • create account Call BAPI_USER_GET_DETAIL on the template user.

Use BAPI_USER_CREATE to set the creation attributes. Other attributes are set as detailed in Attribute update. If create account succeeds it performs a password reset; the password reset is affected by the OSS Note 750_390 patch - see Configuring the SAP server after applying OSS Note 750_390 .

  • delete account Call BAPI_USER_DELETE.

  • update attributes Call BAPI_USER_GET_DETAIL to get information on the user.

    Then use BAPI_USER_CHANGE to make most attribute changes.

    Exceptions include activity groups and roles, which are assigned using BAPI_USER_PROFILES_ASSIGN and BAPI_USER_ACTGROUPS_ASSIGN.

    If Central User Administration (CUA) is enabled, use:

    • BAPI_USER_LOCACTGROUPS_READ and

    • BAPI_USER_LOCPROFILES_READ to read local groups and profiles, and

    • BAPI_USER_LOCACTGROUPS_ASSIGN and

    • BAPI_USER_LOCPROFILES_ASSIGN to update local activity groups and profiles.

  • add user to group Read users by calling BAPI_USER_GET_DETAIL.

    Add them by calling BAPI_USER_ACTGROUPS_ASSIGN.

  • delete user from group Read users by calling BAPI_USER_GET_DETAIL.

    Delete them by calling BAPI_USER_ACTGROUPS_ASSIGN.

  • list groups and members Call BAPI_HELPVALUES_GET and read AGR_DEFINE.

    Note

    RFC_GET_TABLE_ENTRIES will be called if the system is 6.3 or older.

Implications for SAP technical support

Bravura Security Fabric does not impact technical support offered to clients by SAP or third-party vendors.

Bravura Security Fabric only uses mechanisms published by SAP to list users and manage passwords. Remote access from the Bravura Security Fabric server to the SAP server is provided by RFCs, and all server functionality uses BAPI function calls provided by SAP.

Since no server software is installed, and only recommended and published BAPIs are used to manage passwords, using Bravura Security Fabric will in no way impact existing SAP support contracts.

To limit technical support because a customer installs Bravura Security Fabric is equivalent to prohibiting the use of SAP-supplied BAPI functions. Since every SAP installation uses BAPIs, and especially SAP-supplied ones, no SAP or third-party vendor can prohibit this.

In this section: