Transaction - Required SAP Authorizations

Summary

Winshuttle Transaction fully protects SAP® security features. In no circumstances can Transaction override SAP authorization restrictions you are bound to. This document can help you and your security team to understand the SAP authorization required to work with Transaction. In most cases, these SAP authorizations are already in place. However, if you have tried Transaction but cannot use it or if you are seeing error messages, this document will help you address the issue.

Customers running SAP with Basis level 700 Support Pack stack 24 or higher will need to implement the custom Winshuttle Function Module for Non-Batch recording modes to work.

Transaction Authorization via SAP GUI:

Transaction cannot run a transaction if you cannot run that transaction in the SAP GUI. If you do not have access to a particular transaction, please obtain authorization for it before you record or run that transaction in Transaction.

Remote Function Calls (RFC) Authorization:

Transaction makes RFC calls to SAP. You must have this additional access assigned to you. In most cases, these authorizations are already assigned to you. The following objects with the indicated values should be in your SAP user profile for working with Transaction.

For the S_RFC Authorization Object

• Field RFC_TYPE Value FUGR (function group)

• Field ACTVT Value 16 (execute) or *

• Field RFC_NAME

The following values are required for running shuttle files: SYST, SRFC, SUSR, RFC1, RFCH, SBDC, ATSV, STTF, SDTX

The following additional values are required for recording shuttle files: SBDR, SCAT, STTM, SDTX

The following values are required to use document attachment: BDS_BAPI

Additionally, it requires access to object S_BDS_DS with all values except lock and delete.

The following value is required to use SAP List of Values (F4) with forms: SWFMOD_Workflow

To check if a user is authorized to use a given rFM, Transaction validates if the user has EXECUTE(16) permission on the Function Group. Accordingly, when a given Function Module executes, it accesses the structures defined in the Function group too, so authorization for the Function Group is needed.

The Authority_Check rFM validates whether the user is authorized to use the Function Module of a given Function Group.

Table Level Authorizations:

Transaction can get logs, extended comments, field descriptions, and messages during the debug process. For this, the user must have access to certain tables. Table level access is controlled by authorization object S_TABU_DIS. Transaction needs access to the following tables: T100, TFDIR, DD03L, DD04L, TSTCT, D020T, and DD03M. To enable this access, please set up the following authorization:

Authorization Object: S_TABU_DIS

Field Authorization Group (DICBERCLS) = SS, &NC&

Field Activity (ACTVT) = 03 (Display only)

GUI Scripting Authorizations:

In addition to RFC calls, Transaction also provides access to the SAP system using the SAP GUI Scripting mode. To check whether GUI scripting is enabled, look on the right-end of the SAP GUI status bar.

If you see the barber-pole icon on your status bar, GUI scripting is enabled.

If you do not see the icon, ask your security team to use the RZ11 transaction to enable GUI scripting. To enable SAP GUI scripting on the SAP server, the administrator must set the profile parameter sapgui/user_scripting to TRUE on the application server. To enable this parameter, run transaction RZ11. See OSS note 480149 for specific information.

Additionally, please enable scripting on the SAPGUI front-end as follows:

  1. Open the Options dialog box from the main GUI screen.

  2. Select the Scripting tab, and select the Enable Scripting check box.

SAP Authorizations Table

Function Group

Instance

Mode

Description

SBDC

Run

Run- Step-by-step

Batch

 

 

Record

GUI Scripting for Ep Portal

 

 

Run

GUI Scripting for Ep Portal

 

ATSV

Run

Batch mode

 

SUSR

Record

 

 

 

Run

 

 

SBDR

Record

Batch

 

 

Record

Non-Batch without controls

 

 

Record

Non-Batch with controls

 

STTM

Record

Non-Batch with controls

 

SCAT

Record

Non-Batch with controls

 

STTF

Run

Non-Batch with controls

 

 

Run

Non-Batch without controls

 

RFC1

Record

ALL

Check Presence of FMs before calling them

 

Run

ALL

 

RFC1

Run

Non-Batch

 

SDTX

Record

ALL

 

 

Run

ALL

 

RHF4

None

None

Addin F4 Help

/winshtl/txafugr

Record

ALL

First their existence checked and then only called

 

Run

ALL

 

/winshtl/txufugr

Record

ALL

First their existence checked and then only called

 

Run

ALL

 

SYST

Logon

 

 

SRFC

 

 

 

RFCH

 

 

 

 

 

 

 

Table

Instance

Mode

Comments

TSTCT

Record

ALL except GUI Scripting

Description of transaction code

D020T

Record

ALL except GUI Scripting

 

DD03M

Record

ALL

 

TFDIR

Run-Step-by-step

mode

ALL

Called for SAP Release less than 45

T100

Run

ALL except GUI Scripting

 

 

Run

BAPI with Extended Log