I have been working on multiple S/4HANA implementations and of course FIORI implementation has been an integral part of these projects. I want to share a recent problem we faced when FIORI developer was trying to test a few ODATA services via SAP Gateway Client. It’s also a good idea to gradually extend the discussion into further blog parts to cover many problems / error I have been observing as a Basis consultant in FIORI projects.
SAP Developer was not able to test an ODATA service in SAP gateway Client. She received the following error:
RFC Error: No authorization to log via a trusted system (L-RC=1002 T-RC=2).
Environment we were working on consisted of SAPUIFT 100, UISHOP1 200 and SAP_UI 751 (NW 7.5) in SAP FIORI system (Gateway) and the Backend system was S/4HANA 1610.
From my experience, normally this kind of error is observed when the user is not able to login from source system to a target system because of improper/missing RFC authorization or Trust relationship between FIORI and backend is in problem – for e.g. RFC connection problem.
When the customer has Central Hub installation for SAP FIORI then an HTTP RFC serves the purpose of trusted communication from SAP FIORI system to S/4HANA system. For e.g.
As we can see in the ‘logon and security’ tab, the logon procedure is configured as ‘Trust Relationship’ and ‘current user’ to be used for login purpose when SAP FIORI system tries to reach the backend i.e. S/4HANA system. That means, when the developer tries to test an ODATA service using SAP gateway client then this RFC is used, and the developer user ID’s authorization will be checked if it has proper RFC authorizations.
Another condition which should be satisfied is that SAP FIORI frontend system should already be configured as a ‘trusted system’ in the target backend system S/4HANA. How do we validate it? – Using the transaction SMT1.
So, the system validates the following items in order to make the trusted relationship to work:
- A trusted RFC between the gateway and S/4HANA system should be in place. Validation results were good, as we tested above mentioned RFC with our basis user ID.
- User who is testing the gateway services – should have the same Username in FIORI and backend system. Validation results were good, and the username for the FIORI developer was same in both the systems.
- User should have RFC authorization roles for e.g. authorization object SAP_S_RFCACL. Here the result was negative. User in the backend S/4HANA system was missing this authorization.
- FIORI gateway system should be registered as a trusted system in the backend. Validated using the transaction SMT1. FIORI system SID was listed under the ‘Systems whose calls are trusted’
Solution and Testing
Create a Z role for SAP_S_RFCACL authorization object, for e.g. Z_SAP_S_RFCACL. Assign the role to the user in target backend S/4HANA system. S_RFCACL object serves the purpose – Authorization Check for RFC User (e.g. Trusted System), which is required for having access to the trusted systems. The object (role) should be assigned to the user and both the systems – FIORI and the backend S4.
Execute the transaction /n/IWFND/MAINT_SERVICE in FIORI/gateway client and search for the concerned ODATA service. Select the ODATA service and click on ‘SAP Gateway Client’.
SAP Gateway Client opens with the default screen as below. Enter the default Request URI (/sap/opu/odata/sap/Z..). Don’t forget to append the request path with “?$format=xml”.
Click ‘Execute’ to test the gateway service.
The execution should display the result as ‘HTTP Response’ as seen below. Status code 200 suggests that the service call was successful.