The need to
exclude
other applications The CIS mobile interface function /GUIXT/SELECT_INTERFACE contains a general interface for reading SAP tables. In CIS mobile we observe the corresponding SAP authorizations before using any data, but this cannot be guaranteed for other applications which might try to make use of it via RFC calls. Therefore we need a way to exlude other applications from the use of /GUIXT/SELECT_INTERFACE. |
Function
group
authorization |
Transaction
code |
Server Id
Here you can change the prefix e.g. CISMOBILE, but you cannot change
the server id. This mechanism prevents access to your SAP system from any other CIS mobile system that might have a different configuration. For example, if you configure the "Select 'My customers' only" option in CIS mobile profile, you do not want a development CIS mobile system to access your productive data, since the configuration of the development system can be less restrictive, or it may contain new add-on functions that are not yet officially accepted in your company.
|
Authorization string Finally, let us imagine that someone implements an external program (e.g. in Visual Basic or ABAP) that tries to call up /GUIXT/SELECT_INTERFACE in order to read data in the productive system. In this case, in the called system a user with the S_RFC authorization for function group /GUIXT/CISM and for at least one transaction code which ends with 8 digits is needed, otherwise the function cannot be executed. Which essentially means that the credentials of a person authorized for CIS mobile in the productive system are needed for this approach. To exclude this kind of access attempt, the function /GUIXT/SELECT_INTERFACE expects and checks an "authorization string" that is generated in CIS mobile. Each authorization string is valid for one day only. It is different on each server. |
System log
entry In a case of unauthorized access (invalid authorization string) the function /GUIXT/SELECT_INTERFACE writes an entry into the SAP system log so that the user name and the time of the attempted access can be traced. |