SAP RFC User Privileges

Each ABAP stack you want to interact with needs a privileged user. SAP recommends it to be a System user for normal batch processing and a Dialog user if this user also has to be used as the Step user.

The following section describes the privileges required by the RFC user to interact with the ABAP stack of SAP Systems. To assign the following privileges, navigate to Tools → Administration → User Maintenance → Role Administration → Roles (transaction PFCG) and see the Assigning SAP Authorizations to the RFC User procedure for more information.

Note Note

Whenever an authorization problem occurs, you can log into the SAP system as the user and execute transaction SU53. You can use the output of this transaction to identify any missing authorizations.

End of the note.

SAP Authorizations for XBP and BW

AAAB - Cross-application Authorization Objects

S_RFC - Authorization check for RFC access

Name	Required Authorizations
Activity	* (or `Execute`)
Name of RFC to be protected	*, or all of BATG, FRFC, OCSB, RFC1, RFC1, SALX, SCCA, SDIFRUNTIME, SDTX, SG00, SRFC, SXBP, SXMI, SYST, and SYSU
Type of RFC object to be protected	FUGR (Function group)

If you are using XBP transports, the following two RFC's need to be added:

/SCJS/1XBP, /SCJS/2XBP

If you are using ISU transports, the following two RFC's need to be added:

/SCJS/1ISU and /SCJS/2ISU

For BW, the list with names of RFCs to be protected has to be extended with following authorizations (unless the list contains just * (all RFCs)):

Name	Required Authorizations
Name of RFC to be protected	RSBC, RSAB, BATG, RSPC_API

This is required to be able to use RFC, and is thus an absolute requirement.

BC_A - Basis: Administration

S_ADMI_FCD - System Authorizations

Name	Required Authorizations
System administration functions	SP01, SP0R, SPAD

S_BTCH_ADM - Background Processing: Background Administrator

Name	Required Authorizations
Background administrator ID	*

S_BTCH_JOB - Background Processing: Operations on Background Jobs

Name	Required Authorizations
Job operations	*
Summary of jobs for a group	*

While it is possible to individually assign authorizations to delete background jobs, display spool requests, copy or repeat jobs, display the job processing log, release jobs and to display the job queue, all of them are required for proper function of the product.

S_BTCH_NAM - Background Processing: Background User Name

Name	Required Authorizations
Background User Name for Authorization	*

S_RZL_ADM - CCMS: System Administration

Name	Required Authorizations
Activity	01

S_SPO_ACT - Spool: Actions

Name	Required Authorizations
Authorization field for spool	*
Value for authorization check	*

S_SPO_DEV - Spool: Device authorizations

Name	Required Authorizations
Long device names	*

S_TABU_DIS - Table maintenance (via standard tools such as SM30)

Name	Required Authorizations
Activity	03
Authorization group	*

The S_TABU_DIS authorization is needed for importing BW InfoPackage groups. Addtionally, it is required for all SAP releases that have neither XBP (see the documentation shipped with SAP CPS for more information on this feature) 3.0 nor transports (as of M28) in order to be able to import SAP calendars.

The following table illustrates the various combinations and the requirements:

	M28 (without transports) or earlier with XBP 2.0 or earlier	M28 (without transports) or earlier with XBP 3.0	M28 with transports
Run InfoPackagestable `RSMONRQTAB`	o	o	o
Import InfoPackage Groupstable `RSPAKPOS`	x	x	x
Import SAP Calendarstables `THOCS` and `TFACS`	x	-	-

o - (optional) the official API will be used, which is slower and sometimes not reliable
x - (mandatory) this functionality requires access to the table via RFC_READ_TABLE
- - no direct table access is needed

S_XMI_LOG - Internal access authorization for XMI log

Name	Required Authorizations
Access method for XMI log	*

S_XMI_PROD - Auth. for external management interfaces (XMI)

Name	Required Authorizations
XMI logging: company name	REDWOOD (or *)
Product	*
Interface ID	*

Note Note

Please note that this has to be set to REDWOOD and not your company name.

End of the note.

This is the minimal set of authorizations required by SAP CPS.

SAP Authorizations for BW Process Chains

S_RS_ALL

You need to assign the S_RS_ALL profile to the user, this is done as follows:

If you want to schedule process chains and/or InfoPackages, then you must also assign the S_RS_ALL profile to the REDWOOD role. This can be done as follows:

Navigate to Tools → Administration → User Maintenance → Role Administration → Roles (transaction PFCG).
Create a new role REDWOOD, or edit the existing one if it already exists.
Select the Authorizations tab.
Choose Change Authorization Data. If the system shows a list of templates, choose Do not select templates.
You should now be in Change role: Authorizations.
Choose Edit → Insert authorization(s) → From profile and fill S_RS_ALL into the profile field, apply the change. Notice that the required authorizations have been added automatically.

S_DEVELOP - ABAP Workbench

When the synchronous flag is switched on, the following authorization is also required for process chains:

Name	Required Authorizations
ACTVT	16
DEVCLASS	*
OBJNAME	*
OBJTYPE	PROG
P_GROUP	*

AAAB - Cross-application Authorization Objects

SAP Authorizations required for XAL and XMW synchronization.

S_RFC - Authorization check for RFC access''

Name	Required Authorizations
Name of RFC to be protected	*, or all of FRFC, OCSB, SALX, SXMI, SYST, SDTX, RFC1, SDIFRUNTIME, SG00, SRFC, SYSU
Type of RFC object to be protected	FUGR

SAP Authorizations for Industry Solutions (ISU)

S_DEVELOP - ABAP Workbench

Name	Required Authorizations
ACTVT	03
DEVCLASS	EE20
OBJNAME	*
OBJTYPE	*
P_GROUP	*

SAP Authorizations for SAP Applications

The role SAP_BC_REDWOOD_COMM_EXT_SDL is required.

Please make sure, that the role has the following authorizations:

S_RFC_ADM

Name	Required Authorizations
Activity	All activities
Internet Communication Framework	*
Logical Destination	CRONACLE*, REDWOOD
Type of Entry in RFCDES	All values