The CIS mobile interface function /GUIXT/SELECT_INTERFACE contains a general interface for reading SAP tables. In CIS mobile we observe the corresponding SAP authorizations before using any data, but this cannot be guaranteed for other applications which might try to make use of it via RFC calls.
Therefore we need a way to exlude other applications from the use of /GUIXT/SELECT_INTERFACE.
Function
group
authorization
The first restriction is
via the function group /GUIXT/CISM. Only users with the authorization "S_RFC"
for this function group are able to execute external RFC programs that
call up /GUIXT/SELECT_INTERFACE.
Transaction
code
One of the input parameters of
function /GUIXT/SELECT_INTERFACE is TCODE. The function checks that
TCODE is specified, that TCODE ends with 8 digits and that the user is authorized for the given pseudo
transaction code, e.g. for CISMOBILE12345678.
Server Id
CIS mobile uses a unique server id in order to generate the pseudo
transaction code. You can display the server id in the S10 repository
(Project properties->SAP system):
Here you can change the prefix e.g. CISMOBILE, but you cannot change
the server id.
Put the transaction code shown in S10 repository into the CISMOBILE user
role, authorization object S_TCODE.
This mechanism prevents access to your SAP system from any other CIS mobile system that might have a different configuration. For example, if you configure the "Select 'My customers' only" option in CIS mobile profile, you do not want a development CIS mobile system to access your productive data, since the configuration of the development system can be less restrictive, or it may contain new add-on functions that are not yet officially accepted in your company.
- When you change the server, or re-install Windows on this server, the server id changes.
- CIS mobile can make use of several web servers and this is useful in cases of a very large number of users. In this case all servers need to be included in the S_TCODE authorizations, e.g. CISMOBILE78925648 and CISMOBILE82688253.
Finally, let us imagine that someone implements an external program (e.g. in Visual Basic or ABAP) that tries to call up /GUIXT/SELECT_INTERFACE in order to read data in the productive system.
In this case, in the called system a user with the S_RFC authorization for function group /GUIXT/CISM and for at least one transaction code which ends with 8 digits is needed, otherwise the function cannot be executed. Which essentially means that the credentials of a person authorized for CIS mobile in the productive system are needed for this approach.
To exclude this kind of access attempt, the function /GUIXT/SELECT_INTERFACE expects and checks an "authorization string" that is generated in CIS mobile. Each authorization string is valid for one day only. It is different on each server.
In a case of unauthorized access (invalid authorization string) the function /GUIXT/SELECT_INTERFACE writes an entry into the SAP system log so that the user name and the time of the attempted access can be traced.