Security for SAP with TDV
This topic describes TDV support for SAP security features. It assumes knowledge of SAP’s security infrastructure.
| • | Required Authorizations |
| • | Troubleshooting Security-Related Errors |
| • | Custom Security on SAP Tables |
Required Authorizations
The following authorizations are required:
| • | To log in to SAP from TDV and introspect BAPIs and RFCs, the following authorization object is required: |
Class: AAAB (Cross-application Authorization Objects, Object: S_RFC (Authorization Check for RFC Access
This object controls access to RFCs by function group. The most restricted configuration of S_RFC is to allow access to only the function groups required by TDV, then add new groups as necessary.
| • | To log in to SAP from TDV, the following function groups are required: |
SYSU (RFC resource administration)
SDIFRUNTIME (Interfaces for Type Runtime Objects)
| • | To introspect SAP metadata, the following function groups are required: |
SEM5 (Generic Browser for ABAP/BOR classes)
| • | To introspect and query SAP ABAP queries and InfoSets, the following function groups are required, in addition the authorizations above: |
AQCF (SAP Query: Catalog functions)
AQRC (SAP Query: Remote query call)
| • | To introspect and query SAP tables, in addition the authorizations above, the following authorization object is required: |
Class: BC_A (Basis: Administration), Object: S_TABU_DIS (Table Maintenance)
Troubleshooting Security-Related Errors
Some of the common security-related errors and their remedies are described below.
| • | RFC Authorization |
| • | QUERY_TABLE Authorization |
RFC Authorization
ERROR: User TESTUSER1 has no RFC authorization for function group SYST.
TDV is logging into SAP with a SAP user that lacks the authorization object S_RFC. Set authorization S_RFC_ALL to grant access to all RFCs.
S_RFC grants the user permission to introspect and invoke functions. But functions may still fail unless the appropriate authorizations for its parent application are granted. Depending on the function, application-level authorization errors may be reported in a return code. For example, invoke BAPI_COMPANYCODE_GETLIST without the proper application-level authorization and the field RETURN MESSAGE contains:
You do not have authorization to display company codes.
QUERY_TABLE Authorization
ERROR: com.sap.mw.jco.JCO$AbapException: (126) NOT_AUTHORIZED: User not authorized to access QUERY_TABLE.
TDV is logging into SAP with a SAP user that lacks the authorization object S_TABU_DIS. Set authorization S_TABU_ALL to allow display of all table classes, or limit access to specific groups of tables using the appropriate authorizations.
Custom Security on SAP Tables
The granularity of access control provided by S_TABU_DIS may be too coarse for some security requirements. For example, SAP administrators may prefer to allow access table by table to TDV users. In this case the authorization check on S_TABU_DIS in RFC_READ_TABLE is insufficient.
TDV supports the ability to call a custom implementation of RFC_READ_TABLE. This is accomplished by editing the data source to set the Table read function and Table row length to match the function name and field size of the custom function. The column names and data types in the custom function must be identical to those in RFC_READ_TABLE.