-
Title
What rights are required for the 1IM service account connecting to SAP? -
Description
What rights are required for the One Identity Manager (1IM) service account connecting to SAP? -
Resolution
The list of required rights in SAP for 1IM is as follows:
Modules: SAP, SAC, SBW:
- S_TCODE with a minimum of transaction codes SU01, SU53, PFCG
- S_ADDRESS1 with activities 01, 02, 03, 06 and valid address groups (min.“BC01”)
- S_USER_AGR (role maintenance) with activities 02, 03, 22, 78 possibly with restrictions in name ranges (for example “Z*”)
- S_USER_GRP (group maintenance) with activities 02, 03, 22
- S_USER_AUT (authorizations) with activities 03, 08
- S_USER_PRO (profile) with activities 01, 02, 03, 22
- S_USER_SAS (system specific assignments) with activities 01, 06, 22
- S_RFC (authorization check by RFC access) with activity 16 at least for function groups: /VIAENET/ZVI0, /VIAENET/ZVI_L, /VIAENET/Z_HR, SU_USER, SYST, SDTX, RFC1, RFC_METADATA, SDIFRUNTIME, SYSU
- S_TABU_DIS (use of standard tools like SM30 for maintaining tables) with activity 03
Apart from the authorizations listed, the user account has to get all objects from the authorization classes “ZVIH_AUT”, “ZVIA_AUT”, and “ZVIL_AUT” which are installed by the transport package for synchronization, as below:
- ZVIA_AUT (All authority "*")
- ZVIL_AUT (All authority "*")
- ZVIH_AUT (All authority "*")
For the synchronisation of the CUA and below a list of additional rights in the child system:
- S_RFC with the function group SUU6
- S_TCODE with the transaction code SU56
Special additional rights for SAP HCM (Module: SHR):
- The structural profile "ALL" must be assigned to the synchronisation user in the "T77UA" table (OOSB transaction)
- S_RFC (authorization check by RFC access) with activity 16 at least for function groups: PERS, PADR, RH65, RPAI. -
Additional Information
For more information please refer to the Administration Guide for Connecting to SAP R/3.