Required Permissions

The following table lists the required permissions for the specific operations mentioned below:

Operation

Required Permissions

Access Management - Test Connection

Test Connection

Access Management - Account Aggregation

Test Connection and Account Aggregation

Access Management - Group Aggregation

Test Connection and Required Permissions

Access Management - Provisioning

Test Connection, Account Aggregation, Required Permissions, and Provisioning

The SAP GRC account must have the following Authorization Objects assigned to it:

Note
Asterisks (*) indicate required values.

Authorization Objects

Field Names

Values

S_SERVICE

 

SRV_NAME

GRAC_SEARCH_ROLES

GRAC_USER_ACCESS_WS

GRAC_ROLE_DETAILS_WS

GRAC_REQUEST_DETAILS_WS

SRV_TYPE

WS

S_RFC

 

Activity: 16

RFC_NAME

RFCPING

RFC TYPE

FUGR, FUNC

Authorization Objects

Field Names

Values

S_SERVICE

 

SRV_NAME

GRAC_SEARCH_ROLES,
GRAC_USER_ACCESS_WS,
GRAC_ROLE_DETAILS_WS,
GRAC_REQUEST_DETAILS_WS

SRV_TYPE

WS

 

S_RFC

 

Activity: 16

RFC_NAME

MSS_GET_SY_DATE_TIME, RFCPING, RFC_GET_FUNCTION_INTERFACE, RFC_METADATA_GET, SDTX, SYST

Note
Based on the options configured in the UI, select one of the following options:

  • RFC_READ_TABLE

    Note
    SailPoint will continue to support the RFC_READ_TABLE as per our deprecation policies. SailPoint highly recommends that you start planning the move to use SailPoint's Function Module.

  • /SAILPOIN/SAIL_READ_TABLE_LEG

    Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 740, Support Package 08, up to BASIS 750.

  • /SAILPOIN/SAIL_READ_TABLE

    Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 751 and later.

Note
If you configure the permissions for SailPoint’s function module then remove RFC_READ_TABLE value from S_RFC authorization object.

RFC_TYPE

FUGR, FUNC, GRACUSER, GRACUSERCONN

S_TABU_NAM

Activity: 03

TABLE

GRACUSERPROFILE, GRACUSERROLE, GRACUSERSOURCE, GRACRLCONN, GRACROLE, GRACRLCUARELAT, GRACRLCOMPRL, CVERS, PRDVERS

Note
For SAP GRC AC12 SP19 and above versions, additional permissions for the GRACUSERSOURCE table are required.

Authorization Objects

Field Names

Field Values

S_SERVICE

 

SRV_NAME

GRAC_SEARCH_ROLES

GRAC_USER_ACCESS_WS

GRAC_ROLE_DETAILS_WS

GRAC_REQUEST_DETAILS_WS

SRV_TYPE

WS

S_RFC

 

Activity: 16

RFC_NAME

MSS_GET_SY_DATE_TIME

RFCPING

RFC_GET_FUNCTION_INTERFACE

RFC_METADATA_GET

SDTX

SYST

Note
Based on the options configured in the UI, select one of the following options:

  • RFC_READ_TABLE

    Note
    SailPoint will continue to support the RFC_READ_TABLE as per our deprecation policies. SailPoint highly recommends that you start planning the move to use SailPoint's Function Module.

  • /SAILPOIN/SAIL_READ_TABLE_LEG

    Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 750 and earlier.

  • /SAILPOIN/SAIL_READ_TABLE

    Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 751 and later.

Note
If you configure the permissions for SailPoint’s function module then remove RFC_READ_TABLE value from S_RFC authorization object.

RFC_TYPE

FUGR, FUNC

S_TABU_NAM

Activity: 3

TABLE

GRACPROFILE,GRACRLCONN,GRACROLE,

GRACROLERELAT, and GRACRLCOMPRL

GRAC_ROLED

 

GRAC_ACTRD: 03

GRAC_BPROC : * OR AS required

GRAC_LDSCP : * OR AS required

GRAC_RLSEN* OR AS required

GRAC_RLTYP * OR AS required

GRAC_ROLE * OR AS required

GRAC_ROLEP

ACTVT :78

GRAC_BPROC : * OR AS required

GRAC_OUNIT: * OR AS required

GRAC_RLTYP: * OR AS required

GRAC_ROLE: * OR AS required

GRAC_SYSID: * OR AS required

GRAC_SYS

ACTVT :01

GRAC_APPTY : * OR AS required

GRAC_ENVRM : * OR AS required

GRAC_SYSID: * OR AS required

Authorization Objects

Field Names

Values

GRAC_REQ

ACTVT :1

GRAC_BPROC * OR AS required

GRAC_FNCAR * OR AS required

GRAC_RQFOR* OR AS required

GRAC_RQINF* OR AS required

GRAC_RQTYP : 001, 002, 003, 004, 005

S_USER_GRP

Activity: 03

CLASS

* OR AS required

Authorization Objects

Field Names

Values

S_SERVICE

 

SRV_NAME

GRAC_SEARCH_ROLES, GRAC_USER_ACCESS_WS, GRAC_ROLE_DETAILS_WS, GRAC_REQUEST_DETAILS_WS

SRV_TYPE

WS

S_RFC

 

Activity: 16

RFC_NAME

MSS_GET_SY_DATE_TIME, RFCPING, RFC_GET_FUNCTION_INTERFACE, RFC_METADATA_GET, SDTX, SYST, {Custom BAPI Name}

Note
Based on the options configured in the UI, select one of the following options:

  • RFC_READ_TABLE

    Note
    SailPoint will continue to support the RFC_READ_TABLE as per our deprecation policies. SailPoint highly recommends that you start planning the move to use SailPoint's Function Module.

  • /SAILPOIN/SAIL_READ_TABLE_LEG

    Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 750 and earlier.

  • /SAILPOIN/SAIL_READ_TABLE

    Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 751 and later.

Note
If you configure the permissions for SailPoint’s function module then remove RFC_READ_TABLE value from S_RFC authorization object.

RFC_TYPE

FUGR, FUNC

S_TABU_NAM

Activity: 03

TABLE

GRACUSER, GRACUSERCONN

GRACUSERPROFILE, GRACUSERROLE, GRACRLCONN, GRACROLE, GRACRLUARELAT, GRACRLCOMPRL

IAG Bridge Required Permissions

Apart from existing GRC permissions, the following permission is required:

S_TABU_NAM

Activity: 03

TABLE

 

GRFNCCICONNECTOR

Note
For the cloud Target Connector, the supported connector types are: IAG, and IAG_GRP.