Automate

RFC_NO_AUTHORITY.  I had to contact our Security team to run a trace on my account; apparently my profile was missing some type of authorization.  He also had to give me access to SE37 in this system as I did not have it.

Are certain authorizations are needed typical when using BAPIs?  I thought that as long as you are authorized to use the t code you would be able to run the BAPI.  I am concerned now that end users may have authorization issues as well.  Anyone have any additional information that would be helpful?

Thanks,
Monica

Hi Monica,

Many BAPIs in SAP are not inherently the same as SAP Transaction codes even though they may be changing/creating similar data. In many cases, they provide much wider access than certain transactions. Because of this, there are typically additional authorizations involved when trying to run Direct scripts using BAPIs. I have found in most cases, these additional authorizations come in the form of RFC authorizations to allow a user to make a remote call to use the BAPI (BAPIs are just standard SAP function modules that users are able to call remotely instead of directly via a transaction - so it should make sense that users need *Remote Function Call* access).

There are standard sets of RFC authorizations that apply to most BAPIs, but I think there can also be some that vary depending on the BAPI/RFM that you are trying to use. I have also created BAPI scripts using BAPI_MATERIAL_SAVEDATA, and can confirm that we also ran into issues with missing RFC authorizations for our end users. I would be surprised if many organizations have robust RFC authorizations built into end user roles - it's typically a process of 'what is the least amount of access we can add to still obtain the functionality we're looking for?'

When I'm looking to see if an end user has specific RFC (or other types) of access, I'll use transaction SU01D to view the roles assigned to their ID. You can copy/paste the roles from that tab into AGR_NAME field in table AGR_1251 using Transaction SE16N. Using OBJECT = S_RFC (or a different value if looking for non-RFC auths), you can see some of the RFC authorizations built into commonly used end-user roles. I've added a screenshot of some common ones that our end-users have. Some are specifically BAPI related, while others are related to other things like SAP GUI remote launch access, etc.

My best piece of advice for navigating BAPI access for end users would be to have your security team create some sort of test ID in a non-production SAP environment that mimics the end-user access you are designing the script for. You can use the test ID yourself when testing the script to see if there are any major access issues.

Since our organization (like most) does not assign * access for RFC authorizations to end users, it can sometimes feel like a constant battle of missing authorizations anytime we try to add new BAPI scripts, but eventually you should have a pretty good set of auths built into end user roles that should cover most commonly used BAPI scripts.

Hopefully this helps, just wanted to provide a few details of our organization's experience. Always happy to answer any questions you might have.

Thanks,
Kyle Stengel

RFC_NO_AUTHORITY.  I had to contact our Security team to run a trace on my account; apparently my profile was missing some type of authorization.  He also had to give me access to SE37 in this system as I did not have it.

Are certain authorizations are needed typical when using BAPIs?  I thought that as long as you are authorized to use the t code you would be able to run the BAPI.  I am concerned now that end users may have authorization issues as well.  Anyone have any additional information that would be helpful?

Thanks,
Monica