The permissions necessary for the QuickConnect for SAP service account in run-time will be similar but not identical to a profile required for an SAP GUI client to perform similar data operations. However during initialization of the connection, additional permissions will be required, especially during Mapping functions which may run up to an hour on an SAP system with up to 100,000 employees. It is important to note that the Mapping process requires patience, the system may appear to do nothing as the SAP host processes the data prior to returning Mapping records.
The recommended best practice is to create an SAP role with least-privileged access rights based on analysis for the specific implementation's workflow requirements. However because implementations will work with different SAP BAPIs and InfoTypes, there is no way for One Identity to provide an account profile with least-privileged access necessary for production run-time. To derive the required role, the SAP administrator must determined specific requirements by running an SAP trace after workflows have been validated in a non-production environment, and then create a run-time SAP profile to support the customer's Workflow requirements. This profile will be different in each implementation depending on customer workflow requirements.
The recommended procedure is to grant the QuickConnect for SAP service account SAP_ALL rights in a non-production environment to establish the connection, mapping, and workflows. After workflows have been validated, the SAP administrator should run a trace on the account during run-time operations to define the least-privileged access role for the QC for SAP service account operations necessary for the production implementation.