Required Permissions

Warning
The RFC_READ_TABLE integration function module is deprecated as of January 2023. All enhancements and fixes after this date are only supported on the SailPoint ABAP Function Module. For more information, refer to the announcement post. For more information on configuration, refer to SailPoint Add-On to replace the use of RFC_READ_TABLE.

The following table lists the required permissions for the specific operations mentioned below:

Operation	Required Permissions
Access Management - Test Connection	Test Connection
Access Management - Account Aggregation	Test Connection and Account Aggregation
Access Management - Group Aggregation	Test Connection and Required Permissions
Access Management - Provisioning	Test Connection, Account Aggregation, Required Permissions, and Provisioning

The SAP GRC account must have the following Authorization Objects assigned to it:

Note
Asterisks (*) indicate required values.

Test Connection

Authorization Objects	Field Names	Values
S_SERVICE	SRV_NAME	GRAC_SEARCH_ROLES GRAC_USER_ACCESS_WS GRAC_ROLE_DETAILS_WS GRAC_REQUEST_DETAILS_WS
S_SERVICE	SRV_TYPE	WS
S_RFC	Activity: 16 RFC_NAME	RFCPING
S_RFC	RFC TYPE	FUGR, FUNC

Account Aggregation

Authorization Objects	Field Names	Values
S_SERVICE	SRV_NAME	GRAC_SEARCH_ROLES, GRAC_USER_ACCESS_WS, GRAC_ROLE_DETAILS_WS, GRAC_REQUEST_DETAILS_WS
S_SERVICE	SRV_TYPE	WS
S_RFC	Activity: 16 RFC_NAME	MSS_GET_SY_DATE_TIME, RFCPING, RFC_GET_FUNCTION_INTERFACE, RFC_METADATA_GET, SDTX, SYST Note Based on the options configured in the UI, select one of the following options: RFC_READ_TABLE Note SailPoint will continue to support the RFC_READ_TABLE as per our deprecation policies. SailPoint highly recommends that you start planning the move to use SailPoint's Function Module. /SAILPOIN/SAIL_READ_TABLE_LEG Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 740, Support Package 08, up to BASIS 750. /SAILPOIN/SAIL_READ_TABLE Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 751 and later. Note If you configure the permissions for SailPoint’s function module then remove RFC_READ_TABLE value from S_RFC authorization object.
S_RFC	RFC_TYPE	FUGR, FUNC, GRACUSER, GRACUSERCONN
S_TABU_NAM	Activity: 03 TABLE	GRACUSERPROFILE, GRACUSERROLE, GRACUSERSOURCE, GRACRLCONN, GRACROLE, GRACRLCUARELAT, GRACRLCOMPRL, CVERS, PRDVERS Note For SAP GRC AC12 SP19 and above versions, additional permissions for the GRACUSERSOURCE table are required.

Entitlement Aggregation

Authorization Objects	Field Names	Field Values
S_SERVICE	SRV_NAME	GRAC_SEARCH_ROLES GRAC_USER_ACCESS_WS GRAC_ROLE_DETAILS_WS GRAC_REQUEST_DETAILS_WS
S_SERVICE	SRV_TYPE	WS
S_RFC	Activity: 16 RFC_NAME	MSS_GET_SY_DATE_TIME RFCPING RFC_GET_FUNCTION_INTERFACE RFC_METADATA_GET SDTX SYST Note Based on the options configured in the UI, select one of the following options: RFC_READ_TABLE Note SailPoint will continue to support the RFC_READ_TABLE as per our deprecation policies. SailPoint highly recommends that you start planning the move to use SailPoint's Function Module. /SAILPOIN/SAIL_READ_TABLE_LEG Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 750 and earlier. /SAILPOIN/SAIL_READ_TABLE Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 751 and later. Note If you configure the permissions for SailPoint’s function module then remove RFC_READ_TABLE value from S_RFC authorization object.
S_RFC	RFC_TYPE	FUGR, FUNC
S_TABU_NAM	Activity: 3 TABLE	GRACPROFILE,GRACRLCONN,GRACROLE, GRACROLERELAT, and GRACRLCOMPRL
GRAC_ROLED		GRAC_ACTRD: 03 GRAC_BPROC : * OR AS required GRAC_LDSCP : * OR AS required GRAC_RLSEN* OR AS required GRAC_RLTYP * OR AS required GRAC_ROLE * OR AS required
GRAC_ROLEP	ACTVT :78	GRAC_BPROC : * OR AS required GRAC_OUNIT: * OR AS required GRAC_RLTYP: * OR AS required GRAC_ROLE: * OR AS required GRAC_SYSID: * OR AS required
GRAC_SYS	ACTVT :01	GRAC_APPTY : * OR AS required GRAC_ENVRM : * OR AS required GRAC_SYSID: * OR AS required

Provisioning

Authorization Objects	Field Names	Values
GRAC_REQ	ACTVT :1	GRAC_BPROC * OR AS required GRAC_FNCAR * OR AS required GRAC_RQFOR* OR AS required GRAC_RQINF* OR AS required GRAC_RQTYP : 001, 002, 003, 004, 005
S_USER_GRP	Activity: 03 CLASS	* OR AS required

Authorization Objects

Field Names

Values

GRAC_REQ

ACTVT :1

GRAC_BPROC * OR AS required

GRAC_FNCAR * OR AS required

GRAC_RQFOR* OR AS required

GRAC_RQINF* OR AS required

GRAC_RQTYP : 001, 002, 003, 004, 005

S_USER_GRP

Activity: 03

CLASS

* OR AS required

Custom BAPI

Authorization Objects	Field Names	Values
S_SERVICE	SRV_NAME	GRAC_SEARCH_ROLES, GRAC_USER_ACCESS_WS, GRAC_ROLE_DETAILS_WS, GRAC_REQUEST_DETAILS_WS
S_SERVICE	SRV_TYPE	WS
S_RFC	Activity: 16 RFC_NAME	MSS_GET_SY_DATE_TIME, RFCPING, RFC_GET_FUNCTION_INTERFACE, RFC_METADATA_GET, SDTX, SYST, {Custom BAPI Name} Note Based on the options configured in the UI, select one of the following options: RFC_READ_TABLE Note SailPoint will continue to support the RFC_READ_TABLE as per our deprecation policies. SailPoint highly recommends that you start planning the move to use SailPoint's Function Module. /SAILPOIN/SAIL_READ_TABLE_LEG Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 750 and earlier. /SAILPOIN/SAIL_READ_TABLE Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 751 and later. Note If you configure the permissions for SailPoint’s function module then remove RFC_READ_TABLE value from S_RFC authorization object.
S_RFC	RFC_TYPE	FUGR, FUNC
S_TABU_NAM	Activity: 03 TABLE	GRACUSER, GRACUSERCONN GRACUSERPROFILE, GRACUSERROLE, GRACRLCONN, GRACROLE, GRACRLUARELAT, GRACRLCOMPRL

IAG Bridge Required Permissions

Apart from existing GRC permissions, the following permission is required:

S_TABU_NAM

Activity: 03

TABLE

GRFNCCICONNECTOR

Note
For the cloud Target Connector, the supported connector types are: IAG, and IAG_GRP.

FireFighterID Permissions

Following permissions are required for configuring FireFighterID to perform different operations:

Operation	Authorization Objects	Field Names	Values
Account Aggregation	S_TABU_NAM	Activity: 03 TABLE	GRACFFUSER Note This is required for configuring FireFighterID.
Group Aggregation	S_TABU_NAM	Activity: 03 TABLE	GRACFFCTRL GRACFFOBJECT GRACFFOWNER GRACCONFIGSET Note These are required for configuring FireFighterID.
Provisioning	GRAC_FFOWN	ACTVT (All Activities)	GRAC_SYSID GRAC_USER* GRAC_OWN_T (All Values)
Provisioning	GRFN_USER	ACTVT	Display Lock Generate Discard Override Unlock

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Required Permissions

IAG Bridge Required Permissions

FireFighterID Permissions

Documentation Feedback