Query - Required SAP Authorizations

Query - Required SAP Authorizations

Winshuttle Query fully protects SAP® security features. In no circumstances can Query override SAP authorization restrictions you are bound to. This document can help you and your security team understand the SAP authorizations required to work with Query. In most cases, these SAP authorizations are already in place. However, if you have tried Query but cannot use it or if you are seeing error messages then this document will help you address the issue.

Remote Function Calls (RFC) Authorization:

Query makes RFC calls to SAP. You must have this additional access assigned to you. In most cases, these authorizations are already assigned to you. The following objects with the indicated values should be in your SAP user profile for working with Query.

For the S_RFC Authorization Objects:

Table Level Authorizations:

To access a specific table in Query, you need table-level access. Table-level access in SAP is independent of a transaction. For example, you may have access to the transaction MM01 which uses the Material Master table (MARA), but this does not give you automatic access to that table. Table-level access is controlled by the authorization object S_TABU_DIS for client dependent tables and by S_TABU_CLI for client independent tables.

Table Names

  1. DD03L
  2. DD02L
  3. DD27VV
  4. DD17S
  5. DD02T

Authorization Object:

S_TABU_DIS

Fields:

Authorization group (DICBERCLS): &NC&

Activity (ACTVT): 03 (Display)

For example:

Almost every client-dependent table in SAP is assigned to a specific authorization group in the SAP table TDDAT, field CCLASS. For example, the table MARA is assigned to the authorization group MA.

To access Table MARA, authorization group MA must be assigned to your SAP profile in the authorization object S_TABU_DIS as indicated below:

Authorization Object:

S_TABU_DIS

Fields:

Authorization group (DICBERCLS): MA (For table MARA)

Activity (ACTVT): 03 (Display)

Notes