Connector Guides › Connectors Guide › Connecting to Endpoints › SAP Connector › Connector-Specific Features › Create a New User and SAP Role with Minimum Rights for Administration

Create a New User and SAP Role with Minimum Rights for Administration

To set the minimum authorization that a user should have to administrate a SAP system from CA Identity Manager, you must create a new SAP role.

Note: If you are administering a CUA environment, see the notes on CUA below.

To create a new user with a SAP role with minimum rights to administer SAP

1. Create a new communications user with no authorizations.
2. Create a new authorization role by using transaction PFCG.
3. On the descriptions tab, enter a meaningful description.
4. On the menu tab, copy the "Tools>Administration>User Maintenance" menu by selecting 'copy menus>from the SAP menu'.
5. Select the 'Change Authorization Data' button on the Authorizations tab:
   • Do not assign the role an organizational level
   • Manually add the authorizations S_RFC and S_TABU_DIS.
   • Assign the full authorization for all trees by setting the authorization fields to '*'. All authorizations must be active (green light) before proceeding.
   • If necessary, drill down and manually set the 'Human Resources>Personnel Planning>Personnel Planning>Plan Version' to full authorization, '*'.
   • Generate the profile.
6. On the user tab, add the user ID of the previously created communications user and then perform a 'user comparison' to immediately assign the authorizations to the account.

Notes for SAP CUA

• You should perform the above steps on the CUA master system only.
• The communications user must be added to the CUA master system (Maintain User Properties>System Tab) before completing a user comparison during role creation.