1. Knowledge base
  2. zap Audit
  3. Installation / Preparation

What SAP User Role Access Rights do I need?

At a glance: All the SAP user role authorizations you need to use zap Audit.

The SAP user who will be using zap Audit needs certain SAP access rights. These access rights must allow you to access your SAP System via Remote Function Call (RFC). You need an SAP user with full RFC_READ_TABLE access authorizations.

You can also use a system user (USTYP B in USR02) instead of a dialog user (USTYP A in USR02).

rfc_access_rights

The following access rights should be in place at a minimum:

S_RFC

  • Activity (ACTVT): Execute (16)
  • Name of RFC object (RFC_NAME): BBP_RFC_READ_TABLE, DDIF_FIELDINFO_GET, RFCPING, RFC_GET_FUNCTION_INTERFACE, RFC_READ_TABLE
  • Type of RFC object (RFC_TYPE): Function Module (FUNC)

S_TABU_NAM

  • Activity (ACTVT): Display (03)
  • Table Name (TABLE): *

The field "Table Name (TABLE)" of the object S_TABU_NAM should be set to *, as zap Audit is continuously developed and improved.

A specific listing of the required tables can be downloaded during zap Audit project preparation.

How to set up the user role in SAP?

  1. Use transaction SU01.
  2. Select an SAP-User to edit.
  3. Go to the 'Roles' tab.
  4. Activate the 'Edit' mode (Shift + F7) and select 'change role' or double click the role.
  5. Go to the 'Authorizations' tab.
  6. Click 'Change Authorization Data'. You may also have to press Shift + F7 to activate editing.
  7. In there you can click and edit the function objects.

S_TABU_NAM is not available

If your SAP system does not provide S_TABU_NAM, you can use S_TABU_DIS with activity 'Display' and * for the table authorization group.

Function Module FUNC is not available

Instead please use the function group (FUGR) with the following objects:

  • BBPB for BBP_RFC_READ_TABLE

  • RFC1 for RFC_GET_FUNCTION_INTERFACE

  • SYST for RFCPING

  • SDIFRUNTIME for DDIF_FIELDINFO_GET

  • SDTX for RFC_READ_TABLE

Do you want to use the same user for zap Audit as your normal SAP user?

Please note that if ‘Single Sign-On’ with ‘Active directory’ is activated, it must still be possible for your user to log on to SAP with a password.