Required Permissions

Warning
The RFC_READ_TABLE integration function module is deprecated as of January 2023. All enhancements and fixes after this date are only supported on the SailPoint ABAP Function Module. For more information, refer to the announcement post. For more information on configuration, refer to SailPoint Add-On to replace the use of RFC_READ_TABLE.

The following table lists the required permissions for the specific operations mentioned in this section:

Operation	Required Permissions
Test Connection	Test Connection
Account Aggregation	Test Connection and Account Aggregation
Delta Aggregation	Test Connection, Account Aggregation, and Delta Aggregation
Provisioning Rule	Test Connection, Account Aggregation, and Provisioning Rule Permissions

The role assigned to the SAP Administrative user must have the authorization objects as mentioned in the following tables.

Permissions by Operation

Test Connection

Authorization Objects	Field Name	Field Description	Field Value
S_RFC	ACTVT	Activity	16-Execute
	RFC_NAME	Name of RFC object	RFCPING
	RFC_TYPE	Type of RFC object	FUGR, FUNC

Account Aggregation

Authorization Objects	Field name	Field description	Field value
S_RFC	Activity: 16 RFC_NAME	Name of RFC object	0PBAPI0105, BAPI_ADDRESSEMPGETDETAILEDLIST, BAPI_EMPLCOMM_GETDETAILEDLIST, BAPI_EMPLOYEE_GETDATA, BAPI_EMPLOYEE_GETLIST, BAPI_PERSDATA_GETLIST, MSS_GET_SY_DATE_TIME, BAPI_PERSDATA_GETDETAIL, RFC_READ_TABLE, SMSSDATA1, PERS,PADR,RFC_GET_FUNCTION_INTERFACE, DDIF_FIELDINFO_GET, BAPI_COMPANYCODE_GETDETAIL, 0002, RFC_METADATA_GET Note Based on the option selected in the Connections > Function Module Configuration > Name dropdown, select one of the following options. RFC_READ_TABLE Note SailPoint will continue to support the RFC_READ_TABLE in accordance with our depreciation policies. SailPoint recommends that you start planning to move to use SailPoint's Function Module. /SAILPOIN/SAIL_READ_TABLE_LEG Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 740, Support Package 08, up to BASIS 750. /SAILPOIN/SAIL_READ_TABLE Add this permission to use SailPoint’s Function Module over RFC_READ_TABLE if your SAP_BASIS version is 751 and later. Note /SAILPOIN/SAIL_READ_TABLE_LEG and /SAILPOIN/SAIL_READ_TABLE fully replace the RFC_READ_TABLE module. Update the service account permissions to configure the function module in your SAP environment. You do not have to assign permissions for RFC_READ_TABLE once you configure it for /SAILPOIN/SAIL_READ_TABLE_LEG or /SAILPOIN/SAIL_READ_TABLE. For more information, refer to SailPoint Add-On to Replace the Use of RFC_READ_TABLE.
S_TABU_DIS	ACTVT	Activity	03 Display
S_TABU_DIS	DICBERCLS	DICBERCLS	FC01
S_TABU_NAM	ACTVT	Activity	03 Display
S_TABU_NAM	TABLE Name	TABLE	HRP1001, HRP1000, PA0000, PA0001, PA0002 T530T, T529T - Only add these table names if you want to populate the following account schema attributes: Infotype0000 (for older SAP HR sources) Infotype0000JSON (for recently set up SAP HR sources) PA0006, PA0105 - Add these tables if the Delta Aggregation Enabled checkbox is selected.
P_Orgin	AUTHC	Authorization Level	R
	INFTY	INFOTYPE	0001, 0002, 0003, 0006, 0032, 0105
	PERSA	Personal area	(Depending on the organizational area you have assigned to user while creating)
	PERSG	Employee group	(Depending on the organizational area you have assigned to user while creating)
	SUBTYPE	SUBTY	' * ' - If you want to get data for all the subtypes. If you want to get data for specific info types, then add specific subtypes as per data in your environment. For example: For Addresses (Infotype 0006) add subtype - 1,2,3,4,5,6 For Communication (Infotype 0105) add subtype - 0001,0010, 0020, 0030
	PERSK	Employee subgroup	(Depending on the organizational area you have assigned to user while creating)
	VDSK1	Organization Key	(Depending on the organizational area you have assigned to user while creating)

Provisioning Rule Permissions

The administrator permissions mentioned in the following table are only applicable to the provisioning operations specified in the Example SAP HRMS Modify Rule (email, phone number, and system user name) rule.

Authorization Objects	Field name	Field description	Field value
S_RFC	RFC_NAME	Name of RFC object	RFC1, 1065, BAPI_EMPLOYEE_ENQUEU, SYSU, SYSTEM_RESET_RFC_SERVER, SDIFRUNTIME, BAPI_EMPLCOMM_CHANGE, BAPI_EMPLCOMM_CREATE
P_Orgin	AUTHC	Authorization Level	E, S, W

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.

Required Permissions

Permissions by Operation

Documentation Feedback