Required Permissions

This topic describes the minimum permissions required for users to perform IdentityIQ operations on the SAP Direct source.

For the SAP Direct source, the service account is an administrative account. The following tables list the permissions associated with different operations on SAP authorization objects. The tables include the SAP fields used to specify the permissions.

The following table lists the required permissions for specific operations:

Note
There are additional permissions for (For Change Password only) For SNC (Secure Network Communication).

Operation

Required Permissions

Test Connection

Test Connection

Account Aggregation

Group Aggregation

Test Connection and Group Aggregation

Note
For Group Aggregation in CUA systems, additional permissions must be executed as specified in the Group Aggregation section.

Delta Aggregation

Test Connection, Account Aggregation and Delta Aggregation

Create Account

Test Connection, Account Aggregation and Create Account (Create user with assign role and profiles)

Note
For Create Account in CUA systems or a SNC network, additional permissions must be executed as specified in the Create Account (Create user with assign role and profiles) section.

Enable/Disable/Unlock Account

Test Connection, Account Aggregation and Enable/Disable/Unlock Account

Delete Account

Test Connection, Account Aggregation and Delete Account

Add/Remove Entitlement

Test Connection, Account Aggregation and Add/Remove Entitlements and Change Password

Change Password

Test Connection, Account Aggregation and Add/Remove Entitlements and Change Password

Note
For Change Password in a SNC network, additional permissions must be executed as specified in the Add/Remove Entitlements and Change Password section.

The role assigned to the SAP Administrative user must have the following Authorization Objects as mentioned in the tables below.

Authorization Objects

Field Name

Field Description

Field Value

S_RFC

ACTVT

Activity

16 - Execute

RFC_NAME

Name of RFC object

RFCPING

RFC_TYPE

Type of RFC object

FUGR, FUNC

Authorization Objects

Field Name

Field Description

Field Value

S_RFC

Activity: 16

RFC_NAME

Name of the RFC object

Add the following:

RFC_METADATA_GET

BAPI_USER_GETLIST

BAPI_USER_GET_DETAIL

DDIF_FIELDINFO_GET

MSS_GET_SY_DATE_TIME

RFC_GET_FUNCTION_INTERFACE

SDTX

SMSSDATA1

SU_USER

BAPI_USER_ACTGROUPS_ASSIGN

Based on the options configured in the UI, select one of the three options below.

  • Add this permission:

    RFC_READ_TABLE

    Note
    SailPoint will continue to support the RFC_READ_TABLE in accordance with our depreciation policies. SailPoint recommends that you start planning to move to use SailPoint's Function Module.

  • Add this permission to use SailPoint’s Function Module instead of RFC_READ_TABLE if your SAP_BASIS version is 740, Support Package 08, up to BASIS 750.

    /SAILPOIN/SAIL_READ_TABLE_LEG

  • Add this permission to use SailPoint’s Function Module instead of RFC_READ_TABLE if your SAP_BASIS version is 751 or later.

    /SAILPOIN/SAIL_READ_TABLE

    Note
    If you configure the permissions for SailPoint’s function module then remove the RFC_READ_TABLE value from the S_RFC authorization object.

To aggregate Organization Data, add the following:

BAPI_EMPLOYEE_GETDATA

RFC_METADATA

S_TABU_NAM

ACTVT

Activity

03 - Display

Activity: 03

TABLE Name

TABLE

Add the following:

USR11

USR06

USR02

TUTYP

TUTYPA

CVERS

PRDVERS

To aggregate Organization Data, add the following:

PA0105

S_USER_GRP

ACTVT

Activity

03 - Display

CLASS

User group in user master maintenance

* or specify the Group you want to assign for the user.

For example, SUPER

P_Orgin

(To aggregate Organization data)

AUTH

Authorization Level

R

INFTY

INFOTYPE

0001

PERSA

Personal area

*

PERSG

Employee group

*

SUBTYPE

SUBTY

*

PERSK

Employee subgroup

*

VDSK1

Organization Key

*

Authorization Objects

Field Name

Field Description

Field Value

S_RFC

RFC_NAME

Name of RFC object

Add the following:

BAPI_USER_LOCACTGROUPS_READ

BAPI_USER_LOCPROFILES_READ

Authorization Objects

Field Name

Field Description

Field Value

S_RFC

ACTVT

Activity

16 - Execute

S_RFC

Activity: 16

RFC_NAME

Name of RFC object

Add the following:

BAPI_HELPVALUES_GET

PRGN_ACTIVITY_GROUPS_LOAD_RFC

PRGN_EXCHANGE

COLL_ACTGROUPS_GET_ACTGROUPS

DDIF_FIELDINFO_GET

MSS_GET_SY_DATE_TIME

PRGN_COLLECTIVE_ACTGROUPS

RFC_GET_FUNCTION_INTERFACE

SDTX

SMSSDATA1

Based on the options configured in the UI, select one of the three options below:

  • Add this permission:

    RFC_READ_TABLE

    Note
    SailPoint will continue to support the RFC_READ_TABLE in accordance with our deprecation policies. SailPoint recommends that you start planning to move to use SailPoint's Function Module.

  • Add this permission if your SAP_BASIS version is 740 Support Package 08 or later:

    /SAILPOIN/SAIL_READ_TABLE_LEG

  • Add this permission to use SailPoint’s Function Module instead of RFC_READ_TABLE if your SAP_BASIS version is 751 and later:

    /SAILPOIN/SAIL_READ_TABLE

Note
If you configure the permissions for SailPoint’s Function Module, then remove the RFC_READ_TABLE value from the S_RFC authorization object.

S_TABU_NAM

TABLE Name

TABLE

Roles

AGR_FLAGS, AGR_PROF, AGR_TCODES, AGR_TEXTS

Profiles

AGR_DEFINE, USR11, UST10C, UST10S

Authorization Objects associated with a role

AGR_1251, AGR_1252

Note
To avoid aggregating the Authorization Objects, then do not provide AGR_1251 or AGR_1252 and remove Authorization Objects from the group schema as well.

To aggregate Organization Data and Indirect Roles, add the following:

HRP1000

HRP1001

Note
Group aggregation specific to Authorization Objects are not supported for the SAP CUA system.

Authorization Objects

Field Name

Field Description

Field Value

S_TABU_NAM

TABLE Name

TABLE

Profiles

USRSYSPRF

USRSYSPRFT

Roles

USRSYSACTT

USRSYSACT

Authorization Objects

Field Name

Field Description

Field Value

S_RFC

RFC_NAME

Name of RFC object

Add the following:

/SAILPOIN/USR_CHANGE_DOC_USERS

/SAILPOIN/IDENTITYIQ_FUGR

/SAILPOIN/USR_CHANGE_DOC_ROLES

S_TABU_NAM

TABLE Name

TABLE

USBAPILINK

S_USER_GRP

ACTVT

Activity

08 - Display change document

Authorization Objects

Field Name

Field Description

Field Value

S_USER_GRP

ACTVT

Activity

01 - Create or generate

S_RFC

RFC_NAME

Name of RFC object

SDIFRUNTIME

S_USER_SAS

ACTVT

Activity

Add the following:

22 - Enter

Include

Assign

01 - Create

ACT_GROUP

Role name

* or you can specify the role name for which you have assigned

CLASS

User group in user master maintenance

* or specify the Group you want to assign for the user

For example, SUPER

PROFILE

Auth. profile in user master maintenance

* or you can specify the Profile for which you have assigned

SUBSYSTEM

Receiving system for central user administration

* or specify the system you are targeting

Authorization Objects

Field Name

Field Description

Field Value

S_USER_GRP

ACTVT

Activity

PP – Set Productive

Authorization Objects

Field Name

Field Description

Field Value

S_USER_GRP

ACTVT

Activity

05 - Lock

Authorization Objects

Field Name

Field Description

Field Value

S_USER_GRP

ACTVT

Activity

06 - Delete

Authorization Objects

Field Name

Field Description

Field Value

S_USER_GRP

ACTVT

Activity

Add the following:

22 - Enter

Include

Assign

78 - Assign

CLASS

User group in user master maintenance

* or specify the Group you want to assign or remove for the user.

S_RFC

RFC_NAME

Name of RFC object

SDIFRUNTIME

S_USER_SAS

ACTVT

Activity

Add the following:

22 - Enter

Include

Assign

ACT_GROUP

Role name

* or you can specify the role name for which you have assigned

CLASS

User group in user master maintenance

* or specify the Group you want to assign for the user.

For example, SUPER

PROFILE

Auth. profile in user master maintenance

* or you can specify the Profile for which you have assigned

SUBSYSTEM

Receiving system for central user administration

* or specify the system you are targeting.

S_USER_AGR

ACTVT

Activity

02 - Change

ACT_GROUP

Role name

* or you can specify the role name for which you want to provide access

S_USER_PRO

ACTVT

Activity

Add the following:

22 - Enter

Include

Assign

PROFILE

Auth. profile

* or you can specify the Profile for which you want to provide access.

Authorization Objects

Field Name

Field Description

Field value

S_USER_GRP

ACTVT

Activity

PP – Set Productive

For more information on table-level permissions, refer to Configuration Table for SAP Direct.

Authorization Objects

Field Name

Field Description

Field value

S_RFC

ACTVT

Activity

16-Execute

RFC_NAME

Name of RFC object

Add the following:

BAPI_EMPLCOMM_CHANGE

BAPI_EMPLCOMM_CREATE

BAPI_EMPLOYEE_ENQUEUE

BAPI_EMPLOYEE_DEQUEUE

BAPI_EMPLOYEE_GETDATA

BAPI_EMPLOYEE_CHECKEXISTENCE

BAPI_EMPLCOMM_GETDETAILEDLIST

P_Orgin

AUTHC

Authorization Level

Add the following:

E

S

W

INFTY

INFOTYPE

0105

PERSA

Personal area

*

PERSG

Employee group

*

SUBTYPE

SUBTY

*

PERSK

Employee subgroup

*

VDSK1

Organization Key

*

S_USER_GROUP

ACTIVITY

Activity

03

CLASS

User group in user master maintenance

*

Refer to the following for information about configuring permissions to aggregate Organization Data: