Security, GUI and other Logon methods

Process Runner Security, GUI and other Logon methods

Process Runner communicates to SAP via RFC in most cases. If user can logon to SAP server using SAP GUI, she may also able to do so with Process Runner if additional RFC authorization is assigned to this user.

This document briefly explains what RFC authorization and SAP GUI components are required for Process Runner to function correctly. If required authorization is missing, Process Runner would normally display the problem in pop-up message along with what action to take.

Please note that Process Runner GUI Scripting component talks to SAP via GUI Scripting and does not use RFC.

Quick Guide:

If you want to quickly know what a minimum security requirement is, read this section and go no further.

Authorization required for "Run-Only" user - Transaction Module - Appendix I

Authorization required for Designer user - Transaction Module - Appendix II

If you want to understand details behind these, please read on.


  1. RFC Authorization

  2. Process Runner fully protects SAP security features. Process Runner cannot override SAP authorization restrictions that user is bound to.

    Furthermore, SAP security can further restrict what user can execute from Process Runner and what they can execute from SAP GUI. If required RFC authorizations are missing, user may be able to execute that function from SAP GUI but may not be able to do so from Process runner.

    This section can help you and your security team to understand authorization required to run Process Runner. In some cases, basic authorizations may already be in place.

    1. Normal SAP authorization:
    2. Process Runner cannot run a transaction if user cannot run that transaction in SAP GUI. If user does not have access to particular transaction, they should first obtain regular GUI authorization for it before attempting to run that transaction in Process Runner.

    3. Additional RFC authorization:
    4. Process Runner Transaction, BAPI and Data Extraction modules makes RFC calls to SAP. User must have this additional access assigned to them. This access is over and above user's regular transaction access via SAP GUI.

      Authorization Object: S_RFC (object controls what user can execute from Process Runner) Fields:

      ACTVT: 16 (execute)

      RFC_TYPE: FUGR

      RFC_NAME: value from table below (or in some case *)


      RFC_NAME value for S_RFC object For following function
      For Transaction Process
      SYST, RFC1, ATSV Running transactions – release before ECC6
      SYST, RFC1, SBDC, SDTX1 (if SDTX is not available, either SIGE or BATG will also work) Running transactions ECC6 and higher
      SYST, RFC1, ATSV, SQUE, SBDR New Recording without descriptions
      SYST, RFC1, ATSV, SBDR, SDTX1 (if SDTX is not available, SDIFRUNTIME will also work) New Recording with descriptions2
      SYST, RFC1, SBDC Transaction Step-by-Step debug
      SYST, RFC1, SBDC, SDTX (if SDTX is not available, either SIGE or BATG will also work) Transaction Step-by-Step debug with messages2
      SYST, RFC1, STTM New Recording with SAP control framework objects
      SYST, RFC1, STTF Reading data from SAP to Excel
      For BAPI/RFM Process
      SYST, RFC1 New BAPI/RFM creation without description
      SYST, RFC1,SDTX1 New BAPI/RFM creation with description2
      Function group that BAPI/RFM belongs to. Running BAPI/RFM
      For Data Extraction Process
      SYST, SDTX, SUSE To build extraction profile
      Table Level Authorization For the table you need to extract data from. See note #3 below on which authorization object is involved.
      Line Level Authorization For the table you need to extract data from. See line level security document which explains authorization involved in Row level.

      1. STDX is not mandatory. However, transaction messages will not be fully expanded without this access.
      2. To get extended comments and for retrieving messages during debug modes, you may need further access to few tables. Refer to section 3 below for more details.

      3. Following steps can help to check if required function group authorization is assigned to a user or not. If you cannot perform these steps, ask someone else who has this access to perform this for you.

        1. Logon to SAP using GUI into SAP system where authorization problem seems to occur.
        2. Run Transaction code SE37 and type in AUTHORITY_CHECK_RFC, Click on single test (F8).
        3. In USERID field, type in user name who has access problem or for whom you want to check the authorization.
        4. In FUNCTIONGROUP field, type RFC_NAME required from table above.
        5. Click on execute (F8).
        6. If this results in an exception then user does not have appropriate authorization. Security team will have to add appropriate authorization as per instruction above.

  3. Process Runner Logon and GUI requirements

    1. Process Runner can run most Transaction, BAPI and Data Extractor Process Files without SAP GUI installed. Process Runner also supports most flavors of SNC, SSO and Enterprise Portal logon.
    2. However, following SAP GUI components are required for Process Runner to perform Record and Debug and some special operations such as downloading a file from SAP application server, etc.
    3. Following components are also required if you are planning to use GUI Scripting module of Process Runner.

       

      Note: (none of the additional components are required, unless you have those SAP systems installed. For Example, if you have SAP CRM installed, you should select SAP CRM Add-On)


  4. System Ports that should be kept open

  5. For successful communication between Process Runner and SAP systems, various ports may have to be kept open in your network environment.

    < NN > means instance number

    For normal ERP connection:

    Dispatcher (GUI) 32<NN>
    Gateway (RFC) 33<NN>
    Message Server 36<NN>

    For normal ERP connection:

    Message Server(HTTPS) 444<NN>
    Java EE Dispatcher(HTTPS) 5<NN>01
    Message Server(HTTP) 81<NN>
    Java EE Dispatcher(HTTP) 5<NN>00
    Process Runner Special Port 9990 (can be configured to be a different port)

    Please note:

    1. If you have firewall between desktop and SAP server and you can connect on GUI ports but not in RFC port (via Process Runner), then you may have to allow those ports in firewall and/or use hostnames instead of IP addresses for SAP servers. We have observed that some firewall/routers NATs the absolute IP address and communication may not be successful. However, using hostnames seem to help in some network environment in such situation.
    2. Run Only user, who does not have SAP GUI installed, may not need GUI Ports open.

Appendix I

Authorization required for Run Only user - Transaction Module

This is the list of required authorization for Run Only user of Transaction Module.


Auth Object Function Group Process Runner What will be the impact if this access is missing
S_RFC SYST Manadatory
RFC1 Critical. Workaround is possible
SBDC Manadatory
STTF User cannot read field values from transaction or cannot run in not-batch input mode - This is sparingly used feature of Process Runner and does not impact upload to most transaction.
SDTX See note given below. User will NOT get the message text when they RUN the transaction. Workaround is available. (Method 1)
SIGE See note given below. User will NOT get the message text when they RUN the transaction. This access will be used if SDTX access is missing (Method 2)
BATG See note given below. User will NOT get the message text when they RUN the transaction. This access will be used if SDTX and SIGE are missing. (Method 3)
Table Table Authorization Group
S_TABU_DIS T100 SS User will NOT get the message text when they RUN the transaction. Workaround is available.

Note: When user runs a transaction in Process Runner, internally messages are captured in this function group. Transaction messages will not be fully expanded without this access. So either of these function groups should be maintained for user. Process Runner will automatically detect the access user has and will remember that. Simply providing one of these authorizations should be enough.

Appendix II

Authorization required for Designer user - Transaction Module

This is the list of required authorization for Designer user who will record or design a new process and also run this process.

To Run a Process: Same as Appendix I.

To Design (record) a new Process, following additional access will be required:


Auth Object Function Group Process Runner What will be the impact if this access is missing
S_RFC SBDR User cannot dynamically record and create new transaction process. Workaround is possible with alternative authorization.
STTM User cannot record special controls within Transaction.

There are some special SAP control framework objects like tree view, ALV grid etc. provide by SAP for some transactions, to record and playback these control in static mode, Process Runner provides an option during recording “Record Controls (static recording only)”.

If user selects this option and if STTM access is not assigned to the user, Process Runner will stop and display authorization error. User will either need STTM access or can continue recording without the “Record Controls…” option.
SDIFRUNTIME User will not get field description of recorded process. Process file will still work fine. This is nice to have feature. On failure, Process Runner automatically disables this feature for next call for that user. If SDTX and S_TABU_DIS on T100 are not possible, this authorization will serve as a backup to extract field description.
Table Table Auth Group
S_TABU_DIS DD03M &NC& User will not get field description of recorded process. Process file will still work fine. This is nice to have feature. On failure, Process Runner automatically disables this feature for next call for that user. Workaround is possible with SDIC access in S_TABU_DIS or SDIFRUNTIME (see 2nd line above).
D020T SS User will not get field description of recorded process. Process file will still work fine. This is nice to have feature. On failure, Process Runner automatically disables this feature for next call for that user.