Required Permissions

Warning
The RFC_READ_TABLE integration function module is deprecated as of January 2023. All enhancements and fixes after this date are only supported on the SailPoint ABAP Function Module. For more information, refer to the announcement post. For more information on configuration, refer to SailPoint Add-On to replace the use of RFC_READ_TABLE.

The following table lists the required permissions for the specific operations mentioned below:

Operation

Required Permissions

Access Management - Test Connection

Test Connection

Access Management - Account Aggregation

Test Connection and Account Aggregation

Access Management - Group Aggregation

Test Connection and Group Aggregation

Access Management - Provisioning

Test Connection, Account Aggregation, Group Aggregation, and Provisioning

Risk Analysis

Risk Analysis

Custom BAPI

Custom BAPI

Risk Management

Risk Management

The SAP GRC account must have the following Authorization Objects assigned to it:

Note
Asterisks (*) indicate required values.

Authorization Objects

Field Names

S_SERVICE

SRV_NAME (Select * or select Technical names of the following web service configured in SAP GRC)

  • User access Webservice

  • Request details Webservice

  • Risk analysis Webservice

  • Audit log Webservice

SRV_TYPE: WS

GRAC_RA

  • Activity: Administrator

  • Object types for Authorization: User, Role, and Profile

  • Risk Analysis Mode: All values or *

  • Report Type: All values or *

GRAC_SYS

  • Activity: 01

  • Application Type: 001 (SAP)

  • SYSTEM Environment: Select the environment in use, that is, Development, Production, or Test

  • Connector ID: * or select the connector ID configured on SAP GRC

GRAC_REQ

  • Activity: 01

  • Request Type: 001,002

  • Business Process: *

  • Functional Area: *

  • Request for single or multiple: All values or *

  • Request Information: All values or *

GRAC_ROLED

  • Activity: 03

  • Business Process: *

  • Connector Group: * or select the connector group configured on SAP GRC

  • Role Sensitivity: 000

  • Role Type: BUS, COM, CUA, PRF, and SIN

  • Role Name: * or provide the required value

Authorization Objects

Field Names

Values

S_SERVICE

 

SRV_NAME

GRAC_SEARCH_ROLES

GRAC_USER_ACCESS_WS

GRAC_ROLE_DETAILS_WS

GRAC_REQUEST_DETAILS_WS

SRV_TYPE

WS

S_RFC

 

Activity: 16

RFC_NAME

RFCPING

RFC TYPE

FUGR, FUNC

Authorization Objects

Field Names

Values

S_SERVICE

 

SRV_NAME

GRAC_SEARCH_ROLES,
GRAC_USER_ACCESS_WS,
GRAC_ROLE_DETAILS_WS,
GRAC_REQUEST_DETAILS_WS

SRV_TYPE

WS

 

S_RFC

 

Activity: 16

RFC_NAME

MSS_GET_SY_DATE_TIME, RFCPING, RFC_GET_FUNCTION_INTERFACE, RFC_METADATA_GET, SDTX, SYST

Note
Based on the options configured in the UI, select one of the following options:

  • RFC_READ_TABLE

    Note
    SailPoint will continue to support the RFC_READ_TABLE as per our deprecation policies. SailPoint highly recommends that you start planning the move to use SailPoint's Function Module.

  • /SAILPOIN/SAIL_READ_TABLE_LEG

    Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 740, Support Package 08, up to BASIS 750.

  • /SAILPOIN/SAIL_READ_TABLE

    Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 751 and later.

Note
If you configure the permissions for SailPoint’s function module then remove RFC_READ_TABLE value from S_RFC authorization object.

RFC_TYPE

FUGR, FUNC, GRACUSER, GRACUSERCONN

S_TABU_NAM

Activity: 03

TABLE

GRACUSERPROFILE, GRACUSERROLE, GRACUSERSOURCE, GRACRLCONN, GRACROLE, GRACRLCUARELAT, GRACRLCOMPRL, CVERS, PRDVERS

Note
For SAP GRC AC12 SP19 and above versions, additional permissions for the GRACUSERSOURCE table are required.

Authorization Objects

Field Names

Values

S_SERVICE

 

SRV_NAME

GRAC_SEARCH_ROLES, GRAC_USER_ACCESS_WS, GRAC_ROLE_DETAILS_WS, GRAC_REQUEST_DETAILS_WS

SRV_TYPE

WS

S_RFC

 

Activity: 16

RFC_NAME

MSS_GET_SY_DATE_TIME

RFCPING

RFC_GET_FUNCTION_INTERFACE

RFC_METADATA_GET

SDTX

SYST

Note
Based on the options configured in the UI, select one of the following options:

  • RFC_READ_TABLE

    Note
    SailPoint will continue to support the RFC_READ_TABLE as per our deprecation policies. SailPoint highly recommends that you start planning the move to use SailPoint's Function Module.

  • /SAILPOIN/SAIL_READ_TABLE_LEG

    Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 750 and earlier.

  • /SAILPOIN/SAIL_READ_TABLE

    Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 751 and later.

Note
If you configure the permissions for SailPoint’s function module then remove RFC_READ_TABLE value from S_RFC authorization object.

RFC_TYPE

FUGR, FUNC

S_TABU_NAM

Activity: 3

TABLE

GRACRLCONN, GRACROLE

(Only applicable when the Associated Child Roles attribute is peresent in the Group Schema) GRACROLERELAT, GRACRLCOMPRL

GRAC_ROLED

 

GRAC_ACTRD :03

GRAC_BPROC : *

GRAC_LDSCP : *

GRAC_RLSEN*

GRAC_RLTYP *

GRAC_ROLE *

GRAC_ROLEP

ACTVT :78

GRAC_BPROC : *

GRAC_OUNIT: *

GRAC_RLTYP: *

GRAC_ROLE: *

GRAC_SYSID: *

GRAC_SYS

ACTVT :01

GRAC_APPTY : *

GRAC_ENVRM : *

GRAC_SYSID: *

Authorization Objects

Field Names

Values

GRAC_REQ

ACTVT :1

GRAC_BPROC *

GRAC_FNCAR *

GRAC_RQFOR*

GRAC_RQINF*

GRAC_RQTYP : 001, 002, 003, 004, 005

S_USER_GRP

Activity: 03

CLASS

* OR AS required

Authorization Objects

Field Names

Values

S_SERVICE

 

SRV_NAME

GRAC_SEARCH_ROLES, GRAC_USER_ACCESS_WS, GRAC_ROLE_DETAILS_WS, GRAC_REQUEST_DETAILS_WS

SRV_TYPE

WS

S_RFC

 

Activity: 16

RFC_NAME

MSS_GET_SY_DATE_TIME, RFCPING, RFC_GET_FUNCTION_INTERFACE, RFC_METADATA_GET, SDTX, SYST, {Custom BAPI Name}

Note
Based on the options configured in the UI, select one of the following options:

  • RFC_READ_TABLE

    Note
    SailPoint will continue to support the RFC_READ_TABLE as per our deprecation policies. SailPoint highly recommends that you start planning the move to use SailPoint's Function Module.

  • /SAILPOIN/SAIL_READ_TABLE_LEG

    Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 750 and earlier.

  • /SAILPOIN/SAIL_READ_TABLE

    Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 751 and later.

Note
If you configure the permissions for SailPoint’s function module then remove RFC_READ_TABLE value from S_RFC authorization object.

RFC_TYPE

FUGR, FUNC

S_TABU_NAM

Activity: 03

TABLE

GRACUSER, GRACUSERCONN

GRACUSERPROFILE, GRACUSERROLE, GRACRLCONN, GRACROLE, GRACRLUARELAT, GRACRLCOMPRL
Authorization Objects Field Names

S_SERVICE

SRV_NAME (Select * or select the technical names of the following web service configured in SAP GRC)

  • User access web service

  • Request details web service

  • Risk analysis web service

  • Audit log web service

SRV_TYPE: WS

GRAC_RA

  • Activity: Administrator

  • Object types for Authorization: User, Role, and Profile

  • Risk Analysis Mode: All values or *

  • Report Type: All values or *

GRAC_SYS

  • Activity: 01

  • Application Type: 001 (SAP)

  • SYSTEM Environment: Select the environment in use, such as Development, Production, or Test

  • Connector ID: * or select the connector ID configured on SAP GRC

IAG Bridge Required Permissions

Apart from existing GRC permissions, the following permission is required:

S_TABU_NAM

Activity: 03

TABLE

 

GRFNCCICONNECTOR

Note
For the cloud Target Connector, the supported connector types are: IAG, and IAG_GRP.