Required SAP authorizations for Studio

The authorizations that you need for Studio 12.1.x depend on whether you are using the Transaction module or the Query module.

The Studio 12.x modules for Transaction and Query fully protect SAP® security features. In no circumstances can the Transaction and Query modules override the SAP authorization restrictions that you are bound to.

In most cases, these SAP authorizations are already in place. If, however, you have tried the Transaction module or the Query module but cannot use it, or if you are seeing error messages, the information below can help you and your security team to understand the SAP authorization required to work with the Transaction and Query modules and address the issue.

Transaction: Required SAP authorizations

Customers running SAP with Basis level 700 Support Pack stack 24 or higher will need to implement the custom Winshuttle Function Module for Non-Batch recording modes to work.

Transaction authorization via SAP GUI:

The Transaction module cannot run a transaction if you cannot run that transaction in the SAP GUI. If you do not have access to a particular transaction, please obtain authorization for it before you record or run that transaction in the Transaction module.

Remote Function Calls (RFC) authorization:

The Transaction module makes RFC calls to SAP. You must have this additional access assigned to you. In most cases, these authorizations are already assigned to you. The following objects with the indicated values should be in your SAP user profile for working with the Transaction module.

For the S_RFC authorization object:

• Field RFC_TYPE Value FUGR (function group)

• Field ACTVT Value 16 (execute) or *

• Field RFC_NAME

The following values are required for running shuttle files: SYST, SRFC, SUSR, RFC1, RFCH, SBDC, ATSV, STTF, SDTX

The following additional values are required for recording shuttle files: SBDR, SCAT, STTM, SDTX

The following values are required to use document attachment: BDS_BAPI

Additionally, it requires access to object S_BDS_DS with all values except lock and delete.

The following value is required to use SAP List of Values (F4) with forms: SWFMOD_Workflow

The following values are required for Addin F4 help: RHF4

The following values are required for WFM v11:

WFM rfms self check: /WINSHTLQ/*

F4 in WFM: SIMG, BDL5

Record in WFM: SBDR, SCP2

Record, User Format in WFM: RFC1, SU_USER

Background Query run in WFM: BDL3, THFB

Calculate prices BAPI call in WFM: WVK8

Vendor master functionality call via Direct in WFM: FIN_AP_AR_BANK, 1011, BAPT, 1013

Customer master functionality call via Direct in WFM: SZAK

InfoSet SQ02, Queries SQ01 in WFM: AQCF

To check if a user is authorized to use a given rFM, the Transaction module validates that the user has EXECUTE(16) permission on the Function Group. Accordingly, when a given Function Module executes, it accesses the structures defined in the Function group too, so authorization for the Function Group is needed.

The Authority_Check rFM validates whether the user is authorized to use the Function Module of a given Function Group.

Table Level authorizations:

The Transaction module can get logs, extended comments, field descriptions, and messages during the debug process. For this, the user must have access to certain tables. Table level access is controlled by authorization object S_TABU_DIS. Transaction needs access to the following tables: T100, TFDIR, DD03L, DD04L, TSTCT, D020T, and DD03M. To enable this access, please set up the following authorization:

Authorization Object: S_TABU_DIS

Field Authorization Group (DICBERCLS) = SS, &NC&

Field Activity (ACTVT) = 03 (Display only)

Transaction (non-WFM)

Table name Purpose
TSTCT Get description of transaction code
D020T Get description of screen
DD03M Get field description
TFDIR Check that Debug mode is supported
T100 Extracting message
DD03L Retrieve data types corresponding to fields

GUI Scripting authorizations:

In addition to RFC calls, the Transaction module also provides access to the SAP system using the SAP GUI Scripting mode. To check whether GUI scripting is enabled, look on the right-end of the SAP GUI status bar.

icon to the right of ins

If you see the barber-pole icon on your status bar, GUI scripting is enabled.

If you do not see the icon, ask your security team to use the RZ11 transaction to enable GUI scripting. To enable SAP GUI scripting on the SAP server, the administrator must set the profile parameter sapgui/user_scripting to TRUE on the application server. To enable this parameter, run transaction RZ11. See OSS note 480149 for specific information.

Additionally, please enable scripting on the SAP GUI front-end as follows:

  1. Open the Options dialog box from the main GUI screen.

    options command on customize local layout menu

  2. Select the Scripting tab, and select the Enable Scripting check box.

    enable scripting check box under user settings

SAP authorizations table

Function Group

Instance

Mode

Description

SBDC Run Run- Step-by-step Batch  
  Record GUI Scripting for Ep Portal  
  Run GUI Scripting for Ep Portal  
ATSV Run Batch mode  
SUSR Record    
  Run    
SBDR Record Batch  
  Record Non-Batch without controls  
  Record Non-Batch with controls  
STTM Record Non-Batch with controls  
SCAT Record Non-Batch with controls  
STTF Run Non-Batch with controls  
  Run Non-Batch without controls  
RFC1 Record ALL Check presence of FMs before calling them
  Run ALL  
RFC1 Run Non-Batch  
SDTX Record ALL  
  Run ALL  
RHF4 None None Addin F4 Help
/winshtl/txafugr Record ALL First their existence checked and then only called
  Run ALL  
/winshtl/txufugr Record ALL First their existence checked and then only called
  Run ALL  
SYST Logon    
SRFC      
RFCH      
       
Table Instance Mode Comments
TSTCT Record ALL except GUI Scripting Description of transaction code
D020T Record ALL except GUI Scripting  
DD03M Record ALL  
TFDIR Run-Step-by-step mode ALL Called for SAP Release less than 45
T100 Run ALL except GUI Scripting  
  Run BAPI with Extended Log  

Query: Required SAP authorizations

Remote Function Calls (RFC) authorization:

The Studio v12 Query module makes RFC calls to SAP. You must have this additional access assigned to you. In most cases, these authorizations are already assigned to you. The following objects with the indicated values should be in your SAP user profile for working with the Query module.

For the S_RFC authorization objects:

  • Field RFC_TYPE: FUGR (function group)
  • Field ACTVT: 16 (execute) or *
  • Field RFC_NAME: *

Create and run: RFCH, RFC1, SRFC,SUSO,SUSR,SYST

F4 value – RHF4

Create and Run: SDIFRUNTIME

T-code recording to table SBDR, SDTX, SBDC,

InfoSets SQ02 and queries SQ01: INSTALL, AQRC

The following values are required for WFM v11:

WFM rfms self check: /WINSHTLQ/*

LDB process via WFM: SDIFRUNTIME

Orphaned Chunk clearing in WFM: SGWY

Table Level authorizations:

To access a specific table in the Query module, you need table-level access. Table-level access in SAP is independent of a transaction. For example, you may have access to the transaction MM01 which uses the Material Master table (MARA), but this does not give you automatic access to that table. Table-level access is controlled by the authorization object S_TABU_DIS for client dependent tables and by S_TABU_CLI for client independent tables.

Query non-WFM table names:

Table name

Purpose

DD02T Get SAP Table description
DD17S Retrieve all fields corresponding to table
DD03L Returns a data table having fields with key flag for given table
DD02L Look for table type
DD02V Look for table type and description from view.
DD27VV Get all fields corresponding to view
DDFTX To search table for field description

Authorization object:

S_TABU_DIS

Fields:

Authorization group (DICBERCLS): &NC&

Activity (ACTVT): 03 (Display)

For example:

Almost every client-dependent table in SAP is assigned to a specific authorization group in the SAP table TDDAT, field CCLASS. For example, the table MARA is assigned to the authorization group MA.

To access Table MARA, authorization group MA must be assigned to your SAP profile in the authorization object S_TABU_DIS as indicated below:

Authorization object:

S_TABU_DIS

Fields:

Authorization group (DICBERCLS): MA (For table MARA)

Activity (ACTVT): 03 (Display)

Notes

  • Each table can belong to a different authorization group. For you to access different tables, your profile must have the proper authorization for the appropriate groups.
  • For client-independent tables (where field ‘MANDT’ is not present in the table), you need the following authorization object in your SAP profile:

    Authorization Object:

    S_TABU_CLI

    Fields:

    CLIIDMAINT: X

  • If your required table is not listed in the SAP table TDDAT, you can attain the specific authorization group by assigning the following:

    Authorization object:

    S_TABU_DIS

    Fields:

    Authorization group (DICBERCLS): &NC&

    Activity (ACTVT): 03 (Display)