Configure admin roles for SAP Netweaver ABAP

Early Access release

On-prem Connector requires that you configure a certain set of permissions and admin roles in your SAP Netweaver ABAP app. Ensure that your app has each of the following permissions configured.

Authorization	Field	Value
S_USER_GRP	Activity (ACTVT)	Create (01) Change (02) Display (03) Lock (05) Delete (06) Assign (22) Set Productive Password (PP)
	User Group (CLASS)	Set to * to have Okta manage all users; OR Add values that specify which users that you want to allow Okta to manage
S_RFC	Activity (ACTVT)	Execute (16)
	Type of RFC (RFC_TYPE)	Function Group (FUGR)
	Name of RFC (RFC_NAME)	SU_USER PRGN_EXCHANGE SYST SYSU RFC_METADATA
S_USER_AGR	Activity (ACTVT)	Display (03)
	Role Name (ACT_GROUP)	Set to * to allow Okta to see all roles; OR Add values and patterns that specify which roles that you want to allow Okta to see. For example, enter Z* to allow Okta to only see roles that begin with the letter Z.
S_USER_SAS	Activity (ACTVT)	Assign (22)
	User Group (CLASS)	Set to * to have Okta manage all users; OR Add values that specify which users that you want to allow Okta to manage
	Receiving System (SUBSYSTEM)	Set to *; OR Set to the name of the local system (CUA isn't supported)
	Role Name (ACT_GROUP)	Set to * to allow Okta to see all roles; OR Add values and patterns that specify which roles that you want to allow Okta to see. For example, enter Z* to allow Okta to only see roles that begin with the letter Z.
	Auth Profile (PROFILE)	Enter a pattern that follows your naming convention for profiles assigned by role. For example, if these profiles all begin with the letter T, then enter T*. While Okta never attempts to assign profiles directly, it's important that this pattern doesn't match either SAP_ALL or SAP_NEW.
S_USER_UID	Activity (ACTVT)	Display (03)
	User Group (CLASS)	Set to *; OR Add values according to the customer
	External UID Type (EXTUID_TYP)	Global User ID (GU)

Related topics

Okta On-prem Connector

Okta On-prem Connector guides