Skip to main content

RFC Authorization

  • Process Runner fully protects SAP security features. Process Runner cannot override SAP authorization restrictions that user is bound to.

  • SAP security can further restrict what user can execute from Process Runner and what they can execute from SAP GUI. If required RFC authorizations are missing, user may be able to execute that function from SAP GUI but may not be able to do so from Process Runner.

  • This section can help the user and user’s security team to understand authorization required to run Process Runner. In some cases, basic authorizations may already be in place.

A. Normal SAP Authorization

Process Runner cannot run a transaction if user cannot run that transaction in SAP GUI. If user does not have access to particular transaction, they should first obtain regular GUI authorization for it before attempting to run that transaction in Process Runner.

B. Additional RFC Authorization

  • Process Runner Transaction, BAPI and Data Extraction modules make RFC calls to SAP. User must have this additional access assigned to them. This access is over and above user’s regular transaction access via SAP GUI.

  • Authorization Object: S_RFC (object controls what user can execute from Process Runner).

  • Fields:

ACTVT: 16

(execute) RFC_TYPE:

FUGR

RFC_NAME: value from table below (or in some case *)

RFC_NAME value for S_RFC Object For following function
For Transaction Process

 

SYST, RFC1, ATSV Running transactions – release before ECC6
SYST, RFC1, SBDC, SDTX1 (if SDTX is not available, either SIGE or BATG will also work) Running transactions ECC6 and higher
SYST, RFC1, ATSV, SQUE, SBDR New Recording without descriptions
SYST, RFC1, ATSV, SBDR, SDTX1 (if SDTX is not available, SDIFRUNTIME will also work) New Recording with descriptions2
SYST, RFC1, SBDC Transaction Step-by-Step debug
SSYST, RFC1, SBDC, SDTX (if SDTX is not available, either SIGE or BATG will also work) Transaction Step-by-Step debug with messages2
SYST, RFC1, STTM New Recording with SAP control framework objects
SYST, RFC1, STTF Reading data from SAP to Excel
SYSU, SDIFRUNTIME Mandatory if Use NCo Library option is enabled in systems properties settings.
For BAPI/RFM Process

 

SYST, RFC1 New BAPI/RFM creation without description
SYST, RFC1,SDTX1 New BAPI/RFM creation with description
Function group that BAPI/RFM belongs to. Running BAPI/RFM
SYSU, SDIFRUNTIME Mandatory if Use NCo Library option is enabled in systems properties settings.
RFC_METADATA New recording and execution. Enable the entire group RFC_METADATA
For Data Extraction Process

 

SYST, SDTX, SUSE To build extraction profile
BBPB

To execute the Data extractor file (Optional). In latest SAP versions, SAP has provided an enhanced function module (with additional features) to access SAP tables through RFC.

To use this FM in Process Runner, this authorization is required.

Table Level Authorization

For the table user needs to extract data from. See note #3 below on which authorization object is involved.

Line Level Authorization For the table user needs to extract data from. See line level security document which explains authorization involved in Row level.
SYSU, SDIFRUNTIME Mandatory if Use NCo Library option is enabled in systems properties settings.
  • SDTX is not mandatory. However, transaction messages will not be fully expanded without this access.

  • To get extended comments and for retrieving messages during debug modes, user may need further access to a few tables. Refer to section 3 below for more details.

Check whether the required function group authorization is assigned to a user or not. If user cannot perform these steps, ask some other users who have this access to perform this for user.

To Check for The Authorization

  1. Logon to SAP using GUI in SAP system where authorization problem seems to occur.
  2. Run transaction code SE37 and type in AUTHORITY_CHECK_RFC, Click on single test (F8).
  3. In USERID field, type in user name who has access problem or for whom user wants to check the authorization.
  4. In FUNCTIONGROUP field, type RFC_NAME required from table above.
  5. Click on execute (F8).
  6. If this results in an exception, then user does not have appropriate authorization. The security team will have to add appropriate authorization as per instruction above.

C. How Table Level Authorization Works in SAP

Process Runner can get field and screen descriptions during new process creation. Descriptions provide additional information for user when they are viewing the recording in Process file. For this, to work correctly user should have access to some of the tables where descriptions are stored. If user does not have this access, Process Runner will display a message and continue without the descriptions.

A lack of description does not impact how Process Runner executes Transaction or BAPIs. Descriptions are not mandatory but are a nice to have feature.

Here is how Table Level Authorization works in SAP: To access any table in SAP, you need to have table level access. Table access in SAP is independent of transaction or RFC access.

  • You may have access to MM02 transaction, which uses MARA table. This does not give you automatic access to MARA table.

  • Table level access is controlled by authorization object S_TABU_DIS. Access of MARA table is controlled separately as explained below.

  • Almost every table in SAP is assigned to a specific authorization group in table TDDAT, field CCLASS. For example, table MARA is assigned to authorization group MA. To access Table MARA, authorization group MA must be assigned to you under S_TABU_DIS object as indicated below.

  • Authorization Object: S_TABU_DIS

  • Fields:

Authorization group (DICBERCLS) = MA (For table MARA.) Activity (ACTVT) = 03 (Display)

Now, here’s what you need so that Process Runner can get descriptions from SAP.

For description extraction:

Authorization Object: S_TABU_DIS Fields:

Authorization group (DICBERCLS) = SS, &NC& Activity (ACTVT) = 03

  • For step by step debug operation:

    Authorization Object: S_TABU_DIS Fields:

    Authorization group (DICBERCLS) = SS Activity (ACTVT) = 03

  • Note:

  • Each table may belong to a different authorization group. Authorization for each of these groups should be there in your profile to have access to those tables.
  • Process Runner may need access to T100, DD03M and D020T tables. Additionally, some feature of Process Runner may use APQI table.
  • If table is not listed in TDDAT table and you need access to that table, you will have to make following assignment:

    Authorization group (DICBERCLS) = &NC& Activity (ACTVT) = 03

Was this article helpful?

We're sorry to hear that.