|
Winshuttle Transaction fully protects SAP® security features. In no circumstances can Transaction override SAP authorization restrictions you are bound to. This document can help you and your security team to understand the SAP authorization required to work with Transaction. In most cases, these SAP authorizations are already in place. However, if you have tried Transaction but cannot use it or if you are seeing error messages, this document will help you address the issue.
Customers running SAP with Basis level 700 Support Pack stack 24 or higher will need to implement the custom Winshuttle Function Module for Non-Batch recording modes to work.
Transaction cannot run a transaction if you cannot run that transaction in the SAP GUI. If you do not have access to a particular transaction, please obtain authorization for it before you record or run that transaction in Transaction.
Transaction makes RFC calls to SAP. You must have this additional access assigned to you. In most cases, these authorizations are already assigned to you. The following objects with the indicated values should be in your SAP user profile for working with Transaction.
• Field RFC_TYPE Value FUGR (function group)
• Field ACTVT Value 16 (execute) or *
• Field RFC_NAME
The following values are required for running shuttle files: SYST, SRFC, SUSR, RFC1, RFCH, SBDC, ATSV, STTF, SDTX
The following additional values are required for recording shuttle files: SBDR, SCAT, STTM, SDTX
The following values are required to use document attachment: BDS_BAPI
Additionally, it requires access to object S_BDS_DS with all values except lock and delete.
The following value is required to use SAP List of Values (F4) with forms: SWFMOD_Workflow
To check if a user is authorized to use a given rFM, Transaction validates if the user has EXECUTE(16) permission on the Function Group. Accordingly, when a given Function Module executes, it accesses the structures defined in the Function group too, so authorization for the Function Group is needed.
The Authority_Check rFM validates whether the user is authorized to use the Function Module of a given Function Group.
Transaction can get logs, extended comments, field descriptions, and messages during the debug process. For this, the user must have access to certain tables. Table level access is controlled by authorization object S_TABU_DIS. Transaction needs access to the following tables: T100, TFDIR, DD03L, DD04L, TSTCT, D020T, and DD03M. To enable this access, please set up the following authorization:
Authorization Object: S_TABU_DIS
Field Authorization Group (DICBERCLS) = SS, &NC&
Field Activity (ACTVT) = 03 (Display only)
In addition to RFC calls, Transaction also provides access to the SAP system using the SAP GUI Scripting mode. To check whether GUI scripting is enabled, look on the right-end of the SAP GUI status bar.
If you see the barber-pole icon on your status bar, GUI scripting is enabled.
If you do not see the icon, ask your security team to use the RZ11 transaction to enable GUI scripting. To enable SAP GUI scripting on the SAP server, the administrator must set the profile parameter sapgui/user_scripting to TRUE on the application server. To enable this parameter, run transaction RZ11. See OSS note 480149 for specific information.
Additionally, please enable scripting on the SAPGUI front-end as follows:
Function Group |
Instance |
Mode |
Description |
SBDC |
Run Run- Step-by-step |
Batch |
|
|
Record |
GUI Scripting for Ep Portal |
|
|
Run |
GUI Scripting for Ep Portal |
|
ATSV |
Run |
Batch mode |
|
SUSR |
Record |
|
|
|
Run |
|
|
SBDR |
Record |
Batch |
|
|
Record |
Non-Batch without controls |
|
|
Record |
Non-Batch with controls |
|
STTM |
Record |
Non-Batch with controls |
|
SCAT |
Record |
Non-Batch with controls |
|
STTF |
Run |
Non-Batch with controls |
|
|
Run |
Non-Batch without controls |
|
RFC1 |
Record |
ALL |
Check Presence of FMs before calling them |
|
Run |
ALL |
|
RFC1 |
Run |
Non-Batch |
|
SDTX |
Record |
ALL |
|
|
Run |
ALL |
|
RHF4 |
None |
None |
Addin F4 Help |
/winshtl/txafugr |
Record |
ALL |
First their existence checked and then only called |
|
Run |
ALL |
|
/winshtl/txufugr |
Record |
ALL |
First their existence checked and then only called |
|
Run |
ALL |
|
SYST |
Logon |
|
|
SRFC |
|
|
|
RFCH |
|
|
|
|
|
|
|
Table |
Instance |
Mode |
Comments |
TSTCT |
Record |
ALL except GUI Scripting |
Description of transaction code |
D020T |
Record |
ALL except GUI Scripting |
|
DD03M |
Record |
ALL |
|
TFDIR |
Run-Step-by-step mode |
ALL |
Called for SAP Release less than 45 |
T100 |
Run |
ALL except GUI Scripting |
|
|
Run |
BAPI with Extended Log |
|