The authorizations that you need for Studio depend on whether you are using the Transaction module or the Query module.
The Studio modules for Transaction and Query fully protect SAP® security features. In no circumstances can the Transaction and Query modules override the SAP authorization restrictions that you are bound to.
In most cases, these SAP authorizations are already in place. If, however, you have tried the Transaction module or the Query module but cannot use it, or if you are seeing error messages, the information below can help you and your security team to understand the SAP authorization required to work with the Transaction and Query modules and address the issue.
Transaction: Required SAP authorizations
Customers running SAP with Basis level 700 Support Pack stack 24 or higher will need to implement the custom Automate Function Module for Non-Batch recording modes to work.
Transaction authorization via SAP GUI:
The Transaction module cannot run a transaction if you cannot run that transaction in the SAP GUI. If you do not have access to a particular transaction, please obtain authorization for it before you record or run that transaction in the Transaction module.
Remote Function Calls (RFC) authorization:
The Transaction module makes RFC calls to SAP. You must have this additional access assigned to you. In most cases, these authorizations are already assigned to you. The following objects with the indicated values should be in your SAP user profile for working with the Transaction module.
For the S_RFC authorization object:
• Field RFC_TYPE Value FUGR (function group)
• Field ACTVT Value 16 (execute) or *
• Field RFC_NAME
The following values are required for running shuttle files: SYST, SRFC, SUSR, RFC1, RFCH, SBDC, ATSV, STTF, SDTX
The following additional values are required for recording shuttle files: SBDR, SCAT, STTM, SDTX
The following values are required to use document attachment: BDS_BAPI, SDC_MIME, OPTA, OPTB, CVBAPI, CVAPI01, ARCHIVOBJECT, SWOR, BREL, SOA1, SOC3, SOC8
Additionally, document attachment requires access to object S_BDS_DS with all values except lock and delete.
The following value is required to use SAP List of Values (F4) with forms: SWFMOD_Workflow
The following values are required for Addin F4 help: RHF4
F4 in WFM: SIMG, BDL5, SUNI
Add Long Text: STXKS, ALFA, ITOB_BAPI_EQ, ITOB_BAPI_FL, IBAPI_ALM_ORDER, IWOPM, MEWI ,0012, 1022
Additional Automate Utility RFM’s : 1001MASSUEB
Create and run: RFCH, RFC1, SRFC, SUSO, SUSR, SYST, SYGU
To check if a user is authorized to use a given rFM, the Transaction module validates that the user has EXECUTE(16) permission on the Function Group. Accordingly, when a given Function Module executes, it accesses the structures defined in the Function group too, so authorization for the Function Group is needed.
The Authority_Check rFM validates whether the user is authorized to use the Function Module of a given Function Group.
The following values are required for WFM 12.x:
- WFM rfms self check: /WINSHTLQ/*
- F4 in WFM: SIMG, BDL5
- Add Long Text: STXKS, ALFA
- Record in WFM: SBDR, SCP2
- Record, User Format in WFM: RFC1, SU_USER
- Validation WFM -BATG
- Document Attachment: SDC_MIME, OPTA, OPTB, CVBAPI, CVAPI01, ARCHIVOBJECT
- Additional Customer specific Wrapper RFM’s- SSRV, BPC3,TSRV, SSRV2
- Vendor master functionality call via Direct in WFM: FIN_AP_AR_BANK, 1011, BAPT, 1013, ACC9
- Vendor master functionality call via Direct in WFM(Only for S4HANA): BUBA_3 , BUBA_4
- Calculate prices BAPI call in WFM: WVK8
- Customer master functionality call via Direct in WFM: SZAK
Table Level authorizations:
The Transaction module can get logs, extended comments, field descriptions, and messages during the debug process. For this, the user must have access to certain tables. Table level access is controlled by authorization object S_TABU_DIS. Transaction needs access to the following tables: T100, TFDIR, DD03L, DD04L, TSTCT, D020T, and DD03M. To enable this access, please set up the following authorization:
Authorization Object: S_TABU_DIS
Field Authorization Group (DICBERCLS) = SS, &NC&
Field Activity (ACTVT) = 03 (Display only)
Transaction (non-WFM)
Table Name | Purpose |
---|---|
TSTCT | Get description of transaction code |
D020T | Get description of screen |
DD03M | Get field description |
TFDIR | Check that Debug mode is supported |
T100 | Extracting message |
DD03L | Retrieve data types corresponding to fields |
GUI Scripting authorizations:
In addition to RFC calls, the Transaction module also provides access to the SAP system using the SAP GUI Scripting mode. To check whether GUI scripting is enabled, look on the right-end of the SAP GUI status bar.
If you see the barber-pole icon on your status bar, GUI scripting is enabled.
If you do not see the icon, ask your security team to use the RZ11 transaction to enable GUI scripting. To enable SAP GUI scripting on the SAP server, the administrator must set the profile parameter sapgui/user_scripting to TRUE on the application server. To enable this parameter, run transaction RZ11. See OSS note 480149 for specific information.
Additionally, please enable scripting on the SAP GUI front-end as follows:
- Open the Options dialog box from the main GUI screen.
- Select the Scripting tab, and select the Enable Scripting check box.
SAP authorizations table
|
Query: Required SAP authorizations
Remote Function Calls (RFC) authorization:
The Studio v12 Query module makes RFC calls to SAP. You must have this additional access assigned to you. In most cases, these authorizations are already assigned to you. The following objects with the indicated values should be in your SAP user profile for working with the Query module.
For the S_RFC authorization objects:
- Field RFC_TYPE: FUGR (function group)
- Field ACTVT: 16 (execute) or *
- Field RFC_NAME: *
Create and run: RFCH, RFC1, SRFC, SUSO, SUSR, SYST, SYGU
F4 value – RHF4
Create and Run: SDIFRUNTIME
T-code recording to table SBDR, SDTX, SBDC
InfoSets SQ02 and queries SQ01: INSTALL, AQRC, AQCF
The following values are required for WFM 12.x:
- WFM rfms self check: /WINSHTLQ/*
- LDB process via WFM: SDIFRUNTIME, SEU2, SEQ0, ALDB
- Orphaned Chunk clearing in WFM: SGWY
- Background Query run in WFM: BDL3, THFB, RSSG, BTCH
Table Level authorizations:
To access a specific table in the Query module, you need table-level access. Table-level access in SAP is independent of a transaction. For example, you may have access to the transaction MM01 which uses the Material Master table (MARA), but this does not give you automatic access to that table. Table-level access is controlled by the authorization object S_TABU_DIS for client dependent tables and by S_TABU_CLI for client independent tables.
Query non-WFM table names:
Table name | Purpose |
---|---|
DD02T | Get SAP Table description |
DD17S | Retrieve all fields corresponding to table |
DD03L | Returns a data table having fields with key flag for given table |
DD02L | Look for table type |
DD02V | Look for table type and description from view. |
DD27VV | Get all fields corresponding to view |
DDFTX | To search table for field description |
Authorization object:
S_TABU_DIS
Fields:
Authorization group (DICBERCLS): &NC&
Activity (ACTVT): 03 (Display)
For example:
Almost every client-dependent table in SAP is assigned to a specific authorization group in the SAP table TDDAT, field CCLASS. For example, the table MARA is assigned to the authorization group MA.
To access Table MARA, authorization group MA must be assigned to your SAP profile in the authorization object S_TABU_DIS as indicated below:
Authorization object:
S_TABU_DIS
Fields:
Authorization group (DICBERCLS): MA (For table MARA)
Activity (ACTVT): 03 (Display)
Notes
- Each table can belong to a different authorization group. For you to access different tables, your profile must have the proper authorization for the appropriate groups.
- For client-independent tables (where field ‘MANDT’ is not present in the table),
you need the following authorization object in your SAP
profile:
Authorization Object:
S_TABU_CLI
Fields:
CLIIDMAINT: X
- If your required table is not listed in the SAP table TDDAT, you can attain the
specific authorization group by assigning the following:
Authorization object:
S_TABU_DIS
Fields:
Authorization group (DICBERCLS): &NC&
Activity (ACTVT): 03 (Display)