Required Permissions

The following table lists the required permissions for the specific operations mentioned below:

Operation	Required Permissions
Access Management - Test Connection	Test Connection
Access Management - Account Aggregation	Test Connection and Account Aggregation
Access Management - Group Aggregation	Test Connection and Group Aggregation
Access Management - Provisioning	Test Connection, Account Aggregation, Group Aggregation, and Provisioning
Risk Analysis	Risk Analysis
Custom BAPI	Custom BAPI
Risk Management	Risk Management

The SAP GRC account must have the following Authorization Objects assigned to it:

Note
Asterisks (*) indicate required values.

Risk Analysis

Authorization Objects	Field Names
S_SERVICE	SRV_NAME (Select * or select Technical names of the following web service configured in SAP GRC) User access Webservice Request details Webservice Risk analysis Webservice Audit log Webservice SRV_TYPE: WS
GRAC_RA	Activity: Administrator Object types for Authorization: User, Role, and Profile Risk Analysis Mode: All values or * Report Type: All values or *
GRAC_SYS	Activity: 01 Application Type: 001 (SAP) SYSTEM Environment: Select the environment in use, that is, Development, Production, or Test Connector ID: * or select the connector ID configured on SAP GRC
GRAC_REQ	Activity: 01 Request Type: 001,002 Business Process: * Functional Area: * Request for single or multiple: All values or * Request Information: All values or *
GRAC_ROLED	Activity: 03 Business Process: * Connector Group: * or select the connector group configured on SAP GRC Role Sensitivity: 000 Role Type: BUS, COM, CUA, PRF, and SIN Role Name: * or provide the required value

Test Connection

Authorization Objects	Field Names	Values
S_SERVICE	SRV_NAME	GRAC_SEARCH_ROLES GRAC_USER_ACCESS_WS GRAC_ROLE_DETAILS_WS GRAC_REQUEST_DETAILS_WS
S_SERVICE	SRV_TYPE	WS
S_RFC	Activity: 16 RFC_NAME	RFCPING
S_RFC	RFC TYPE	FUGR, FUNC

Account Aggregation

Authorization Objects	Field Names	Values
S_SERVICE	SRV_NAME	GRAC_SEARCH_ROLES, GRAC_USER_ACCESS_WS, GRAC_ROLE_DETAILS_WS, GRAC_REQUEST_DETAILS_WS
S_SERVICE	SRV_TYPE	WS
S_RFC	Activity: 16 RFC_NAME	MSS_GET_SY_DATE_TIME, RFCPING, RFC_GET_FUNCTION_INTERFACE, RFC_METADATA_GET, SDTX, SYST Note Based on the options configured in the UI, select one of the following options: RFC_READ_TABLE Note SailPoint will continue to support the RFC_READ_TABLE as per our deprecation policies. SailPoint highly recommends that you start planning the move to use SailPoint's Function Module. /SAILPOIN/SAIL_READ_TABLE_LEG Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 740, Support Package 08, up to BASIS 750. /SAILPOIN/SAIL_READ_TABLE Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 751 and later. Note If you configure the permissions for SailPoint’s function module then remove RFC_READ_TABLE value from S_RFC authorization object.
S_RFC	RFC_TYPE	FUGR, FUNC, GRACUSER, GRACUSERCONN
S_TABU_NAM	Activity: 03 TABLE	GRACUSERPROFILE, GRACUSERROLE, GRACUSERSOURCE, GRACRLCONN, GRACROLE, GRACRLCUARELAT, GRACRLCOMPRL, CVERS, PRDVERS Note For SAP GRC AC12 SP19 and above versions, additional permissions for the GRACUSERSOURCE table are required.

Group Aggregation

Authorization Objects	Field Names	Values
S_SERVICE	SRV_NAME	GRAC_SEARCH_ROLES, GRAC_USER_ACCESS_WS, GRAC_ROLE_DETAILS_WS, GRAC_REQUEST_DETAILS_WS
S_SERVICE	SRV_TYPE	WS
S_RFC	Activity: 16 RFC_NAME	MSS_GET_SY_DATE_TIME RFCPING RFC_GET_FUNCTION_INTERFACE RFC_METADATA_GET SDTX SYST Note Based on the options configured in the UI, select one of the following options: RFC_READ_TABLE Note SailPoint will continue to support the RFC_READ_TABLE as per our deprecation policies. SailPoint highly recommends that you start planning the move to use SailPoint's Function Module. /SAILPOIN/SAIL_READ_TABLE_LEG Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 750 and earlier. /SAILPOIN/SAIL_READ_TABLE Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 751 and later. Note If you configure the permissions for SailPoint’s function module then remove RFC_READ_TABLE value from S_RFC authorization object.
S_RFC	RFC_TYPE	FUGR, FUNC
S_TABU_NAM	Activity: 3 TABLE	GRACRLCONN, GRACROLE (Only applicable when the `Associated Child Roles` attribute is peresent in the Group Schema) GRACROLERELAT, GRACRLCOMPRL
GRAC_ROLED		GRAC_ACTRD :03 GRAC_BPROC : * GRAC_LDSCP : * GRAC_RLSEN* GRAC_RLTYP * GRAC_ROLE *
GRAC_ROLEP	ACTVT :78	GRAC_BPROC : * GRAC_OUNIT: * GRAC_RLTYP: * GRAC_ROLE: * GRAC_SYSID: *
GRAC_SYS	ACTVT :01	GRAC_APPTY : * GRAC_ENVRM : * GRAC_SYSID: *

Provisioning

Authorization Objects	Field Names	Values
GRAC_REQ	ACTVT :1	GRAC_BPROC * GRAC_FNCAR * GRAC_RQFOR* GRAC_RQINF* GRAC_RQTYP : 001, 002, 003, 004, 005
S_USER_GRP	Activity: 03 CLASS	* OR AS required

Authorization Objects

Field Names

Values

GRAC_REQ

ACTVT :1

GRAC_BPROC *

GRAC_FNCAR *

GRAC_RQFOR*

GRAC_RQINF*

GRAC_RQTYP : 001, 002, 003, 004, 005

S_USER_GRP

Activity: 03

CLASS

* OR AS required

Custom BAPI

Authorization Objects	Field Names	Values
S_SERVICE	SRV_NAME	GRAC_SEARCH_ROLES, GRAC_USER_ACCESS_WS, GRAC_ROLE_DETAILS_WS, GRAC_REQUEST_DETAILS_WS
S_SERVICE	SRV_TYPE	WS
S_RFC	Activity: 16 RFC_NAME	MSS_GET_SY_DATE_TIME, RFCPING, RFC_GET_FUNCTION_INTERFACE, RFC_METADATA_GET, SDTX, SYST, {Custom BAPI Name} Note Based on the options configured in the UI, select one of the following options: RFC_READ_TABLE Note SailPoint will continue to support the RFC_READ_TABLE as per our deprecation policies. SailPoint highly recommends that you start planning the move to use SailPoint's Function Module. /SAILPOIN/SAIL_READ_TABLE_LEG Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 750 and earlier. /SAILPOIN/SAIL_READ_TABLE Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 751 and later. Note If you configure the permissions for SailPoint’s function module then remove RFC_READ_TABLE value from S_RFC authorization object.
S_RFC	RFC_TYPE	FUGR, FUNC
S_TABU_NAM	Activity: 03 TABLE	GRACUSER, GRACUSERCONN GRACUSERPROFILE, GRACUSERROLE, GRACRLCONN, GRACROLE, GRACRLUARELAT, GRACRLCOMPRL

Risk Management

Authorization Objects	Field Names
S_SERVICE	SRV_NAME (Select * or select the technical names of the following web service configured in SAP GRC) User access web service Request details web service Risk analysis web service Audit log web service SRV_TYPE: WS
GRAC_RA	Activity: Administrator Object types for Authorization: User, Role, and Profile Risk Analysis Mode: All values or * Report Type: All values or *
GRAC_SYS	Activity: 01 Application Type: 001 (SAP) SYSTEM Environment: Select the environment in use, such as Development, Production, or Test Connector ID: * or select the connector ID configured on SAP GRC

Authorization Objects

Field Names

S_SERVICE

SRV_NAME (Select * or select the technical names of the following web service configured in SAP GRC)

User access web service
Request details web service
Risk analysis web service
Audit log web service

SRV_TYPE: WS

GRAC_RA

Activity: Administrator
Object types for Authorization: User, Role, and Profile
Risk Analysis Mode: All values or *
Report Type: All values or *

GRAC_SYS

Activity: 01
Application Type: 001 (SAP)
SYSTEM Environment: Select the environment in use, such as Development, Production, or Test
Connector ID: * or select the connector ID configured on SAP GRC

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Required Permissions

Documentation Feedback