SAP RFC User Privileges
Each ABAP stack you want to interact with needs a privileged user. Redwood recommends it to be a System user for normal batch processing and a Dialog user if this user also has to be used as the Step user.
The following section describes the privileges required by the RFC user to interact with the ABAP stack of SAP Systems. To assign the following privileges, navigate to Tools > Administration > User Maintenance > Role Administration > Roles (transaction PFCG ) and see the Assigning SAP Authorizations to the RFC User procedure for more information.
note
Whenever an authorization problem occurs, you can log into the SAP system as the user and execute transaction SU53. You can use the output of this transaction to identify any missing authorizations.
SAP Authorizations for XBP and BW
AAAB - Cross-application Authorization Objects
S_RFC - Authorization check for RFC access
| Name | Required Authorizations |
|---|---|
| Activity | * (or Execute) |
| Name of RFC to be protected | *, or all of BATG, FRFC, OCSB, RFC1, RFC_METADATA_GET, SALX, SCCA, SDIFRUNTIME, SDTX, SG00, SRFC, SXBP, SXMI, SYST, SVAR_RFC, SXBP_VAR, and SYSU |
| Type of RFC object to be protected | FUGR (Function group), FUBA (Function module) |
| Name of RFC to be protected | BAPI_CM_PROFILES_GET |
| Type of RFC to be protected | FUNC |
If you are using XBP transports, the following two RFC's need to be added:
/REDWOOD/1XBP, /REDWOOD/2XBP
If you are using ISU transports, the following two RFC's need to be added:
/REDWOOD/1ISU and /REDWOOD/2ISU
If you want to retrieve the SAP syslog from within Redwood Server with the GetSupportFiles functionality, you also need the following RFC:
SXMB
For BW, the list with names of RFCs to be protected has to be extended with following authorizations (unless the list contains just * (all RFCs)):
| Name | Required Authorizations |
|---|---|
| Name of RFC to be protected | RSBC, RSAB, BATG, RSPC_API |
This is required to be able to use RFC, and is thus an absolute requirement.
BC_A - Basis: Administration
S_ADMI_FCD - System Authorizations
| Name | Required Authorizations |
|---|---|
| System administration functions | SP01, SP0R, SPAD, SPAM (when retrieving spool from processes with non-default client)) |
S_BTCH_ADM - Background Processing: Background Administrator
| Name | Required Authorizations |
|---|---|
| Background administrator ID | * |
S_BTCH_JOB - Background Processing: Operations on Background Jobs
| Name | Required Authorizations |
|---|---|
| Job operations | * |
| Summary of jobs for a group | * |
While it is possible to individually assign authorizations to delete background jobs, display spool requests, copy or repeat jobs, display the job processing log, release jobs and to display the job queue, all of them are required for proper function of the product.
S_BTCH_NAM - Background Processing: Background User Name
| Name | Required Authorizations |
|---|---|
| Background User Name for Authorization | * |
S_PROGRAM - ABAP: program run checks
| Name | Required Authorizations |
|---|---|
| Authorization group ABAP program | * (or the required authorization group) |
| User action ABAP program | BTCSubmit |
S_RZL_ADM - CCMS: System Administration
| Name | Required Authorizations |
|---|---|
| Activity | 01 |
S_SPO_ACT - Spool: Actions
| Name | Required Authorizations |
|---|---|
| Authorization field for spool | * |
| Value for authorization check | * |
S_SPO_DEV - Spool: Device authorizations
| Name | Required Authorizations |
|---|---|
| Long device names | * |
S_TABU_DIS - Table maintenance (via standard tools such as SM30)
| Name | Required Authorizations |
|---|---|
| Activity | 03 |
| Authorization group | * |
The S_TABU_DIS authorization is needed for importing BW InfoPackage groups. Additionally, it is required for all SAP releases that have neither XBP 3.0 nor transports in order to be able to import SAP calendars.
The following table illustrates the various combinations and the requirements:
| Without transports and XBP 2.0 or earlier | Without transports and XBP 3.0 | With transports | |
|---|---|---|---|
| Run InfoPackagestable RSMONRQTAB | o | o | o |
| Import InfoPackage Groupstable RSPAKPOS | x | x | x |
| Import SAP Calendarstables THOCS and TFACS | x | - | - |
o- (optional) the official API will be used, which is slower and sometimes not reliablex- (mandatory) this functionality requires access to the table viaRFC_READ_TABLE-- no direct table access is needed
S_OC_DOC
Only required if you want to archive spool lists.
| Name | Required Authorizations |
|---|---|
| Activity | 24 (or *) |
S_OC_ROLE
Required for sending spool-lists to recipients or archiving spool lists
| Name | Required Authorizations |
|---|---|
| Activity | ADMINISTRATOR (or *) |
S_OC_SEND - Authorization Object for Sending
Required for sending spool lists to recipients
| Name | Required Authorizations |
|---|---|
| Valid communication methods | * (or any communication methods you want to be able to use) |
| Range of number of recipients allowed per send operation | * (or the desired value, for example 100) |
S_XMI_LOG - Internal access authorization for XMI log
| Name | Required Authorizations |
|---|---|
| Access method for XMI log | * |
S_XMI_PROD - Auth. for external management interfaces (XMI)
| Name | Required Authorizations |
|---|---|
| XMI logging: company name | REDWOOD (or *) |
| Product | * |
| Interface ID | * |
note
Please note that this has to be set to REDWOOD and not your company name.
This is the minimal set of authorizations required by Redwood Server.
SAP Authorizations for BW Process Chains
S_RS_ALL
You need to assign the S_RS_ALL profile to the user, this is done as follows:
If you want to schedule process chains and/or InfoPackages, then you must also assign the S_RS_ALL profile to the REDWOOD role. This can be done as follows:
- Navigate to Tools > Administration > User Maintenance > Role Administration > Roles (transaction PFCG).
- Create a new role
REDWOOD, or edit the existing one if it already exists. - Select the Authorizations tab.
- Choose Change Authorization Data. If the system shows a list of templates, choose Do not select templates.
- You should now be in Change role: Authorizations.
- Choose Edit > Insert authorization(s) > From profile and fill
S_RS_ALLinto the profile field, apply the change. Notice that the required authorizations have been added automatically.
S_DEVELOP - ABAP Workbench
When the synchronous flag is switched on, the following authorization is also required for process chains:
| Name | Required Authorizations |
|---|---|
| ACTVT | 16 |
| DEVCLASS | * |
| OBJNAME | * |
| OBJTYPE | PROG |
| P_GROUP | * |
AAAB - Cross-application Authorization Objects (BW)
SAP Authorizations required for XAL and XMW synchronization.
S_RFC - Authorization check for RFC access
| Name | Required Authorizations |
|---|---|
| Name of RFC to be protected | *, or all of FRFC, OCSB, SALX, SXMI, SYST, SDTX, RFC1, SDIFRUNTIME, SG00, SRFC, SYSU |
| Type of RFC object to be protected | FUGR |
SAP Authorizations for Industry Solutions (ISU)
S_DEVELOP - ABAP Workbench
| Name | Required Authorizations |
|---|---|
| ACTVT | 03 |
| DEVCLASS | EE20 |
| OBJNAME | * |
| OBJTYPE | * |
| P_GROUP | * |
SAP Authorizations for SAP Applications
The role SAP_BC_REDWOOD_COMM_EXT_SDL is required for Business Automation Enabler (BAE).
Please ensure that the role has the following authorizations:
S_RFC_ADM
| Name | Required Authorizations |
|---|---|
| Activity | All activities |
| Internet Communication Framework | * |
| Logical Destination | CRONACLE*, REDWOOD |
| Type of Entry in RFCDES | All values |
note
ABAP users connecting to Redwood Server require the role SAP_BC_BATCH_ADMIN_REDWOOD.