Required Permissions

This document describes the permissions required for users to perform operations on the SAP Direct source.

For the SAP Direct source, the service account is an administrative account. The following tables list the permissions associated with different operations on SAP authorization objects. The tables include the SAP fields used to specify the permissions.

The following table lists the required permissions for specific operations:

Note
There are additional permissions for (For Change Password only) For SNC (Secure Network Communication)

Operation

Required Permissions

Test Connection

Test Connection

Account Aggregation

Entitlement Aggregation

Test Connection and Entitlement Aggregation

Note
For Group Aggregation in CUA systems, additional permissions must be executed as specified in the Entitlement Aggregation section.

Delta Aggregation

Test Connection, Account Aggregation and Delta Aggregation

Create Account

Test Connection, Account Aggregation and Create Account

Note
For Create Account in CUA systems or a SNC network, additional permissions must be executed as specified in the Create Account section.

Enable/Disable/Unlock Account

Enable/Disable/Unlock Account, Account Aggregation and Enable/Disable/Unlock Account

Delete Account

Test Connection, Account Aggregation and Delete Account

Add/Remove Entitlement

Test Connection, Account Aggregation and Add/Remove Entitlements

Change Password

Test Connection, Account Aggregation and Change Password

Note
For Change Password in a SNC network, additional permissions must be executed as specified in the Add/Remove Entitlements and Change Password section.

Authorization Object

Field Name

Field Description

Field Value

S_RFC

ACTVT

Activity

16 - Execute

RFC_NAME

Name of RFC object

RFCPING

RFC_TYPE

Type of RFC object

FUGR, FUNC

Note
To open a profile object with blank text when aggregating accounts from SAP Direct version 750 and earlier, you can use the new USR11 admin permission field value in the Table Name field of the S_TABU_NAM Authorization Object.

Authorization Objects

Field Name

Field
Description

Field Value

S_RFC

Activity: 16

RFC_NAME

Name of RFC object

Add the following:

BAPI_USER_GETLIST

BAPI_USER_GET_DETAIL

DDIF_FIELDINFO_GET

MSS_GET_SY_DATE_TIME

RFC_GET_FUNCTION_INTERFACE

SDTX

SMSSDATA1

SU_USER

RFC_METADATA_GET

BAPI_USER_ACTGROUPS_ASSIGN

Based on the options configured in the UI, select one of the three options below:

  • Add this permission:

    RFC_READ_TABLE

    Note
    SailPoint will continue to support the RFC_READ_TABLE in accordance with our depreciation policies. SailPoint recommends that you start planning to move to use SailPoint's Function Module.

  • Add this permission to use SailPoint’s Function Module instead of RFC_READ_TABLE if your SAP_BASIS version is 740, Support Package 08, up to BASIS 750.

    /SAILPOIN/SAIL_READ_TABLE_LEG

  • Add this permission to use SailPoint’s Function Module instead of RFC_READ_TABLE if your SAP_BASIS version is 751 and later.

    /SAILPOIN/SAIL_READ_TABLE

    Note
    If you configure the permissions for SailPoint’s function module then remove RFC_READ_TABLE value from S_RFC authorization object.

To aggregate Organization Data, add the following:

BAPI_EMPLOYEE_GETDATA

RFC_METADATA

S_TABU_NAM

ACTVT

Activity

03 - Display

Activity: 03

Table Name

Table affected by the operation

Add the following:

USR11

USR06

USR02

TUTYP

TUTYPA

CVERS

PRDVERS

To aggregate Organization Data, add the following:

PA0105

S_USER_GRP

 

ACTVT

Activity

03 - Display

CLASS

User group in user master maintenance

* or specify the Group you want to assign for the user.

For example: SUPER

P_Orgin

(To aggregate Organization data)

AUTH

Authorization Level

R

INFTY

INFOTYPE

0001

PERSA

Personal area

*

PERSG

Employee group

*

SUBTYPE

SUBTY

*

PERSK

Employee subgroup

*

VDSK1

Organization Key

*

Authorization Objects

Field Name

Field Description

Field Value

S_RFC

RFC_NAME

Name of RFC object

Add the following:

BAPI_USER_LOCACTGROUPS_READ

BAPI_USER_LOCPROFILES_READ

Authorization Objects

Field Name

Field Description

Field value

S_RFC

ACTVT

Activity

16-Execute

Activity: 16

RFC_NAME

Name of RFC object

Add the following:

BAPI_HELPVALUES_GET

PRGN_ACTIVITY_GROUPS_LOAD_RFC

PRGN_EXCHANGE

COLL_ACTGROUPS_GET_ACTGROUPS

DDIF_FIELDINFO_GET

MSS_GET_SY_DATE_TIME

PRGN_COLLECTIVE_ACTGROUPS

RFC_GET_FUNCTION_INTERFACE

SDTX

SMSSDATA1

Based on the options configured in the UI, select one of the three options below:

  • Add this permission:

    RFC_READ_TABLE

    Note
    SailPoint will continue to support the RFC_READ_TABLE in accordance with our deprecation policies. SailPoint recommends that you start planning to move to use SailPoint's Function Module.

  • Add this permission if your SAP_BASIS version is 740 Support Package 08 or later:

    /SAILPOIN/SAIL_READ_TABLE_LEG

  • Add this permission to use SailPoint’s Function Module instead of RFC_READ_TABLE if your SAP_BASIS version is 751 and later:

    /SAILPOIN/SAIL_READ_TABLE

Note
If you configure the permissions for SailPoint’s Function Module, then remove the RFC_READ_TABLE value from the S_RFC authorization object.

S_TABU_NAM

Table Name

Table

Roles

AGR_FLAGS, AGR_PROF, AGR_TCODES, AGR_TEXTS

Profiles

AGR_DEFINE, USR11, UST10C, UST10S

To aggregate Authorization Objects associated with a role:

AGR_1251, AGR_1252

Note
If you do not want to aggregate Authorization Objects AGR_1251 and AGR_1252, omit the permissions and remove them from schema.

To aggregate Organization Data and Indirect Roles, add the following:

HRP1000

HRP1001

Note
Group aggregation specific to Authorization Objects are not supported for the SAP CUA system.

Authorization Objects

Field Name

Field Description

Field Value

S_TABU_NAM

Table Name

Table

Profiles

USRSYSPRF

USRSYSPRFT

Roles

USRSYSACTT

USRSYSACT

Authorization Objects

Field Name

Field Description

Field Value

S_RFC

RFC_NAME

Name of RFC object

Add the following:

/SAILPOIN/USR_CHANGE_DOC_USERS

/SAILPOIN/IDENTITYIQ_FUGR

/SAILPOIN/USR_CHANGE_DOC_ROLES

S_TABU_NAM

Table Name

Table affected by the operation

USBAPILINK

S_USER_GRP

ACTVT

Activity

08 - Display change document

Create user with assigned role and profiles.

Authorization Objects

Field Name

Field Description

Field Value

S_USER_GRP

ACTVT

Activity

01 - Create or generate

S_RFC

RFC_NAME

Name of RFC object

SDIFRUNTIME

S_USER_SAS

 

 

 

 

ACTVT

Activity

Add the following:

22 - Enter

Include

Assign

01 - Create

ACT_GROUP

Role name

* or you can specify role name for which you have assigned

CLASS

User group in user master maintenance

* or specify the Group you want to assign for the user.

For example SUPER

PROFILE

Auth. profile in user master maintenance

* or you can specify Profile for which you have assigned

SUBSYSTEM

Receiving system for central user administration

* or specify the system you are targeting

Authorization Objects

Field Name

Field Description

Field Value

S_USER_GRP

ACTVT

Activity

05 - Lock

Authorization Objects

Field Name

Field Description

Field Value

S_USER_GRP

ACTVT

Activity

06 - Delete

Authorization Objects

Field Name

Field Description

Field Value

S_RFC

RFC_NAME

Name of RFC object

SDIFRUNTIME

S_USER_SAS

 

 

 

 

ACTVT

Activity

Add the following:

22 - Enter

Include

Assign

ACT_GROUP

Role name

* or you can specify role name for which you have assigned

CLASS

User group in user master maintenance

* or specify the Group you want to assign for the user.

For example: SUPER

PROFILE

Authentication profile in user master maintenance

* or you can specify Profile for which you have assigned

SUBSYSTEM

Receiving system for central user administration

* or specify the system you are targeting

S_USER_AGR

 

ACTVT

Activity

02-change

ACT_GROUP

Role Name

* or you can specify role name for which you want to provide access

S_USER_PRO

 

ACTVT

Activity

Add the following:

22 - Enter

Include

Assign

PROFILE

Auth. profile

* or you can specify profile name for which you want to provide access

S_USER_GRP

 

ACTVT

Activity

Add the following:

22 - Enter

Include

Assign

78 - Assign

CLASS

User group in user master maintenance

* or specify the group you want to assign or remove for the user

Authorization Objects

Field Name

Field Description

Field Value

S_USER_GRP

ACTVT

Activity

Add the following:

02 - Change

05 - Lock

78 - Assign

Authorization Objects

Field Name

Field Description

Field value

S_USER_GRP

ACTVT

Activity

PP – Set Productive

For more information on table-level permissions, refer to Configuration Table for SAP Direct.

Authorization Objects

Field Name

Field Description

Field value

S_RFC

ACTVT

Activity

16-Execute

RFC_NAME

Name of RFC object

Add the following:

BAPI_EMPLCOMM_CHANGE

BAPI_EMPLCOMM_CREATE

BAPI_EMPLOYEE_ENQUEUE

BAPI_EMPLOYEE_DEQUEUE

BAPI_EMPLOYEE_GETDATA

BAPI_EMPLOYEE_CHECKEXISTENCE

BAPI_EMPLCOMM_GETDETAILEDLIST

P_Orgin

AUTHC

Authorization Level

Add the following:

E

S

W

INFTY

INFOTYPE

0105

PERSA

Personal area

*

PERSG

Employee group

*

SUBTYPE

SUBTY

*

PERSK

Employee subgroup

*

VDSK1

Organization Key

*

S_USER_GROUP

ACTIVITY

Activity

03

CLASS

User group in user master maintenance

*

Refer to the following for information about configuring permissions to aggregate Organization Data: