Certain SAP authorizations are required for users working with Winshuttle Journal Entry.
Winshuttle Journal Entry fully protects SAP® security features. In no circumstances can Journal Entry override SAP authorization restrictions you are bound to. This document can help you and your security team to understand the SAP authorizations required to work with Journal Entry . In most cases, these SAP authorizations are already in place. However, if you have tried Journal Entry but can not use it or if you are seeing error messages then this document will help you address the issue.
SAP Customers running SAP with Support Pack stack 24 or higher will need to implement the custom Winshuttle Function Module for Journal Entry templates to work.
Transaction Authorization via SAP GUI:
Journal Entry cannot run a transaction if you cannot run that transaction in the SAP GUI. If you do not have access to a particular transaction, please obtain authorization for it before you run that transaction in Journal Entry.
Remote Function Calls (RFC) Authorization:
Journal Entry uses an RFC connection to interact with SAP. You must have this additional access assigned to you. In most cases, these authorizations are already assigned to you. The following objects with the indicated values should be in your SAP user profile for working with Journal Entry.
For the S_RFC Authorization Object:
• Field RFC_TYPE Value FUGR (function group)
• Field ACTVT Value 16 (execute) or *
• Field RFC_NAME
The following values are required for running shuttle files:
SYST, SRFC, SUSR, RFC1, RFCH, ATSV, STTF, SDTX, RHF4
To check if a user is authorized to use a given rFM, Journal Entry validates if the user has
EXECUTE(16) permission on the Function Group. Accordingly, when a given Function Module executes, it accesses the structures defined in the Function group too, authorization for the Function Group is needed.
The Authority_Check RFM validates whether the user is authorized to use the Function Module of a given Function Group.
To attach documents to a journal entry posting, the following is required:
- For the S_RFC authorization object, value BDS_BAPI is needed
- Access to object S_BDS_DS is required with all values except lock and delete, for all class names and class types
Table Level Authorizations:
Journal Entry can get logs, extended comments, field descriptions, and messages. For this, the user must have access to few tables. Table level access is controlled by authorization object S_TABU_DIS.
Transaction needs access to these tables: T100
To enable this access, please setup the following authorization:
Authorization Object: S_TABU_DIS
Field Authorization Group (DICBERCLS) = SS, &NC&
Field Activity (ACTVT) = 03 (Display only)