# Create a Workato integration user in SAP

Creating a Workato integration user in Sap consists of the following steps:

  1. Create a new user in SAP using SU01
  2. Activate your newly-created Workato user
  3. Create a Workato Integration Role using PFCG
  4. Link your user to your newly-created role

# Create a new user in SAP using SU01

To begin, you must first create a user in your SAP system which is dedicated to Workato. This user is used later on with the minimum required permissions to run your integrations.

RECOMMENDED USER TYPE

We recommend you use the Communication user type in SAP. This is reserved by SAP for dialog-free communication between systems (through RFC) and does not provide GUI access.

1

In t-code SU01, give the new user a name that is relevant to Workato. In the following example, we have named the user WORKATO_INT.

2

When creating a user, you must provide mandatory fields like Last name and password. These are located in the Address and Logon Data tab respectively.

Create new user

USER PERMISSIONS

This user's permission dictates which RFCs Workato can run and which IDocs Workato can send and receive.


# Activate your newly-created Workato user

After creating your new user, you must login to SAP change the password to productive (If you are using 'Dialog' user type). Take note of both the password and the username as they're required to set up your OPA in Workato.


# Create a Workato Integration Role using PFCG

Assign a role to this newly-created user. This role grants access to specific objects in your SAP system. This guide demonstrates how to configure the minimum authorizations required to connect to SAP from Workato.

USER PERMISSIONS

These instructions do not include authorizations required to run any RFCs, receive IDocs, and send any IDocs required for the connector, but they are the set of base authorizations required to establish a connection and fetch IDoc and RFC metadata. Additionally, to determine the permissions required to run actions and triggers for IDoc in Workato, please refer to the minimum permissions section of this guide.

1

Navigate to t-code PFCG and type in the role to assign to this Workato user. In our example, we have name the role Z_MIN_AUTH_ROLE_WORKATO.

2

Select the Single role button after providing your chosen name.

Create new role in PFCG

3

Give your new role a description.

4

Navigate to the Authorizations tab. Generate a profile by selecting the button next to the Profile Name input field.

5

After the profile is generated, select Change Authorization Data. You must assign the following permissions. These permissions help the Workato connector with Authentication and reading metadata from your SAP system. Assign permissions by maintaining the role manually with the button located in the top section of the interface.

Summary of authorization objects to be added
S_RFC
Required to authorize Workato to call certain function groups and modules. (Also, responsible for establishing basic connection with Workato)
S_TABU_DIS
Determines which group of tables using authorization groups users can access.
S_TABU_NAM
Determines which exact table(s) users can access. This authorization object permits users to access a specific table within an authorization group that they otherwise cannot access.
Authorization Field Values for S_RFC Object
Required for Basic Connection
RFC_NAME
Name of RFC object
Values:
  • EDIMEXT
  • RFC_METADATA
  • SDTX
  • SVRZ
  • SYST
  • OCS_CRM
  • RFC1 (For Older Enhancement Packages in SAP ERP)
ACTVT
Activity
Values:
  • 16
RFC_TYPE
Type of RFC Object
Values:
  • FUGR
Required for further Connector Operations (RFC, IDoc)
RFC_NAME
Name of RFC object
Values:
  • SDIFRUNTIME
  • RFC2
  • ARFC (Only required if sending IDocs)
  • EDIN (Only required if sending IDocs)
ACTVT
Activity
Values:
  • 16
RFC_TYPE
Type of RFC Object
Values:
  • FUGR
Authorization Field Values for S_TABU_DIS Object
Required for Connector Operations
DICBERCLS
Table Authorization Group
Values:
  • SS
  • SC
  • SA
ACTVT
Activity
Values:
  • 02
  • 03
Authorization Field Values for S_TABU_NAM Object
Required for Connector Operations
*Change and Display access to below tables*
TABLE
Table Name
Values:
  • TAPLT
  • TFDIR
  • RFCDES
  • EDIPOA
ACTVT
Activity
Values:
  • 02
  • 03
*Display access to below tables*
TABLE
Table Name
Values:
  • TFTIT
  • EDP13
  • TBD05
  • EDP21
ACTVT
Activity
Values:
  • 03
6

Your final Authorization should look like this:

Authorizations for profile

7

Press the generate button (the white and red circular button in your top bar) to save your Authorization.


To link your user to your newly-created role:

1

Navigate to SU01 and edit the user you created in Step 1: Create a new user in SAP using SU01.

2

Go to the Roles tab.

3

Proceed ahead and Assign the role which you have just created.

Assign role to user

4

Click Save.


FURTHER READING

To complete your connection to SAP RFC, read the following guides:

  1. Configure the Workato OPA.
  2. Configure the Workato SAP connector.
  3. Optional: Configure IDocs to/from Workato in SAP.


Last updated: 3/20/2024, 6:34:22 AM