QUERY > Advanced features > Authorizations

Back to

Advanced features

Authorizations

Required SAP Authorizations in QUERY

QUERY fully protects SAP security features. Under no circumstances can QUERY override the SAP authorization restrictions you are bound to. This document can help you and your security team to understand the SAP authorizations that are required to work with QUERY. In most cases, these SAP authorizations are already in place. This document can also help if you have tried QUERY, but cannot use it, or if you see error messages.

Remote Function Calls (RFC) Authorization

QUERY makes RFC calls to SAP. RFC access must be assigned. In most cases, these authorizations are already assigned to you. To work with SAP, the following objects with the indicated values should be in your SAP user profile.

For the S_RFC Authorization Object:

• Field RFC_TYPE - FUGR (function group)

• Field ACTVT - 16 (execute) or *

• Field RFC_NAME - *

Table Level Authorization

To access a specific table in QUERY, you need table level access. Table level access in SAP is independent of a transaction. For example, you may have access to the transaction MM01 which uses the Material Master table (MARA), but this does not give you automatic access to that table. Table level access is controlled by these authorization objects:

• S_TABU_DIS for client dependent tables

• S_TABU_CLI for client independent tables

Almost every client dependent table in SAP is assigned to a specific authorization group in the SAP table TDDAT, field CCLASS. For example, table MARA is assigned to the authorization group MA.

To access Table MARA, authorization group MA must be assigned to your SAP profile in the authorization object S_TABU_DIS as indicated in the following example:

Authorization Object: S_TABU_DIS

Fields: Authorization group ( DICBERCLS) - MA (For table MARA)

Activity ( ACTVT) - 03 (Display)

Notes:

  1. Each table may belong to a different authorization group. For you to access different tables, your profile must have the proper authorization for the appropriate groups.
  2. For client independent tables (where the field MANDT is not present in the table), you need the following authorization object in your SAP profile:

    Authorization Object: S_TABU_CLI

    Field: CLIIDMAINT - X

  3. To attaining the specific authorization group, if your required table is not listed in the SAP table TDDAT, you must make the following assignment:

    Authorization Object: S_TABU_DIS

    Fields: Authorization group ( DICBERCLS) - &NC&

    Activity ( ACTVT) - 03 (Display)

Also in this section

Administrator options