Authorizations in the SAP system
1. EasyInput required authorizations
The user needs following SAP authorizations objects to run the script:
OBJECT: ‘S_RFC’
ACTVT: ‘16’ (=execute)
RFC_NAME:
SRFC
RFC1
STTF
BATG
BACV
BAPT
MRFC
SDTB
SDDO
SUF4
SYST
SYSU
SCTM
SICM
SBDC
SBDR
RFC_METADATA
/BCC/Z_EASYINPUT
RFC_TYPE: ‘FUGR’
Note that independent of SAP authorizations, but depending on the EasyInput license file, the user may have full EasyInput functionality (script development, template scripts access, script execution) or restricted functionality (only script execution).
2. Function script:
When using BAPI/ Function script each function module used will require additional authorizations:
OBJECT: ‘S_RFC’
ACTVT: ‘16’ (=execute)
RFC_NAME: ‘*’ (replace * with the ID_OF_THE_FUNCTION_MODULE)
RFC_TYPE: ‘FUNC’
In older systems (SAP_BASIS application component < 702), the granularity of the authorizations has to be larger (function group). If this is the case use:
OBJECT: ‘S_RFC’
ACTVT: ‘16’ (=execute)
RFC_NAME: ‘*’ (replace * with the ID_OF_THE_FUNCTION_GROUP_OF_THE_MODULE)
RFC_TYPE: ‘FUGR’
Important: When using function script with the SAP conversion module (in the full version one can use the module provided by SNP - /BCC/Z_EASYINPUT_RCONV, that does not require additional authorizations) following additional authorizations may be needed:
OBJECT: ‘S_TABU_RFC’
ACTVT: ‘03’ (=display)
The user needs following SAP authorizations objects to use the BAPI transaction to choose the function modules (only the script developer needs these authorizations):
OBJECT: ‘S_TCODE’
TCD: BAPI
OBJECT: ‘S_DEVELOP’
OBJTYPE: ‘*’
OBJNAME: ‘*’
ACTVT: ‘03’ (=display)
3. Transaction script:
Important: When using extended mode in the transaction script with the SAP function module (in the full version one can use the module provided by SNP - /BCC/Z_EASYINPUT_SIMPLE, that does not require additional authorizations) following additional authorizations will be needed:
OBJECT: ‘S_DEVELOP’
OBJTYPE: ‘SCAT’
OBJNAME: ‘*’
ACTVT: ‘16’ (=execute)
OBJECT: ‘S_DEVELOP’
OBJTYPE: ‘ECSC’
OBJNAME: ‘*’
ACTVT: ‘16’ (=execute)
Important: Using Extended Mode: When not using the SNP function modules for transaction script (parameter ExtendedRunFunctionModule on EI_Config worksheet, that can be set in full version if the BCC transport is imported in the system), than E-CATT should be allowed on the SAP client level (SCC4 transaction) before being able to use the Extended mode.
The user needs following SAP authorizations objects to use the SHDB transaction to record the transaction scripts (only the script developer needs these authorizations):
OBJECT: ‘S_TCODE’
TCD: SHDB
The user needs following SAP authorizations objects to debug a transaction within EasyInput:
OBJECT: ‘S_TCODE’
TCD: SHD0
4. SAP GUI Scripting
The SAP GUI scripting is available from sap Netweaver version 6.20 or higher. To enable SAP GUI scripting globally on the server side the parameter sapgui/user_scripting should be set to true in the RZ11 transaction.
To enable SAP GUI Scripting locally to chosen users only the parameter sapgui/user_scripting_per_user should be set to true in the RZ11 transaction. If the latter is the case additional authorization object given below is required for users to be able to use SAP GUI Scripting:
OBJECT: ‘S_SCR’
ACTVT: ‘16’ (=execute)
CLASS: ‘BC_A’
Additionally on the SAP GUI side of the user, the switch Enable Scripting in SAP GUI Options > Accessibility & Scripting > Scripting should be checked for the user to enable scripting on the user side.
4. OData script:
Authorization objects needed for OData services use:
OBJECT: ‘S_SERVICE’
PROG ID: ‘R3TR’
OBJTYP: ‘IWSG’
OBJNAME: ‘/IWFND/SG_MED_CATALOG_0001’
OBJECT: ‘S_SERVICE’
PROG ID: ‘R3TR’
OBJTYP: ‘IWSG’
OBJNAME: ‘/IWFND/SG_MED_CATALOG_0002’
OBJECT: ‘S_TCODE’
TCD: /IWFND/TRACES, /IWFND/GW_CLIENT
OBJECT: ‘/IWFND/ADM’
ACTVT: ‘03’ (=display)
In order to allow execution a particular OData service additional authorization for these services are needed, np.:
OBJECT: ‘S_SERVICE’
PROG ID: ‘R3TR’
OBJTYP: ‘IWSG’
OBJNAME: ‘*’ (zamiast * należy podać konkretne ID serwisu)
OBJECT: ‘S_START’
AUTHPGMID: ‘R3TR’
AUTHOBJTYP: ‘G4BA’ (Gateway OData V4)
OBJNAME: ‘*’ (zamiast * należy podać konkretne ID serwisu)
Example role definition.
