Skip to main content

Set up SAP ECC

Connect docs via MCP

This guide explains how to create a dedicated communication user in SAP ECC and grant the authorizations Atlan needs to extract metadata over RFC.

How Atlan connects to SAP systems

Before setting up user accounts, understand how Atlan connects to SAP ECC.

Prerequisites

Before you begin, make sure you have:

  • Administrative access to SAP ECC, including the ability to create users (SU01) and maintain roles (PFCG).
  • Self-Deployed Runtime deployed that meets the system requirements. For installation, see Install Self-Deployed Runtime.
  • SAP system details, including:
    • Host
    • System number
    • Client number

Create communication user

  1. In the SAP GUI command field, enter SU01 and press Enter to open User Maintenance.
  2. In the User field, enter a name for the new service user and click Create.
  3. On the Address tab, provide the required contact information.
  4. Open the Logon Data tab and:
    • Set User Type to C (Communications Data).
    • Set an initial password (enter it twice).
  5. Click Save to create the user.

You assign the authorizations in the next section.

Grant required authorizations

Atlan extracts metadata over RFC using read-only function modules, so the communication user needs two authorization objects:

  • S_RFC to execute the RFC function modules.
  • S_TABU_DIS to read the data dictionary tables those modules query.

Grant the following values. All activities are display or execute only, so Atlan never writes to your SAP system.

S_RFC for RFC execution

FieldValuePurpose
RFC_TYPEFUGRAuthorize at the function-group level.
RFC_NAMESDTX, /SAPDS/RS_BASIS, SYST, RFC1Function groups that contain the required modules (see below).
ACTVT16 (Execute)Allow execution only.

These function groups cover the function modules Atlan calls:

Function moduleFunction groupPurpose
RFC_READ_TABLESDTXReads metadata tables.
/SAPDS/RFC_READ_TABLE2/SAPDS/RS_BASISReads tables with long-string (STRG) columns that RFC_READ_TABLE can't return.
STFC_CONNECTIONSYSTVerifies connectivity between Atlan and SAP ECC.
RFC_SYSTEM_INFORFC1Retrieves system metadata such as SYSID, operating system, and release version.
About /SAPDS/RFC_READ_TABLE2

/SAPDS/RFC_READ_TABLE2 ships with the SAP Basis Plug-In (PI_BASIS). Atlan uses it to read columns that the classic RFC_READ_TABLE returns as blank. If your ECC system doesn't have the Basis Plug-In installed, contact your Atlan team.

S_TABU_DIS for table reads

FieldValuePurpose
ACTVT03 (Display)Allow read-only table access.
DICBERCLSSS, &NC&Table authorization groups for the dictionary tables Atlan reads.

The data dictionary tables Atlan extracts belong to table authorization group SS. The &NC& group covers in-scope tables that aren't assigned to a group. To confirm the group for a specific table, your Basis team can check table TDDAT or use transaction SUCU.

Restricting access to specific tables

If your security policy requires authorizing individual tables rather than a table authorization group, use S_TABU_NAM (ACTVT = 03, with TABLE set to each table name) instead of S_TABU_DIS. The exact list of tables the connector reads isn't published here. Contact your Atlan team and they provide it during implementation.

Assign authorizations to user

You can grant the authorization objects directly or, preferably, bundle them into a single role.

  1. In the command field, enter PFCG and press Enter to open Role Maintenance.
  2. Enter a name for a new single role (for example, Z_ATLAN_RFC_METADATA) and click Single Role.
  3. On the Authorizations tab, open the authorization data and add the S_RFC and S_TABU_DIS objects with the field values from the previous section.
  4. Generate the authorization profile.
  5. On the User tab, assign the role to the communication user you created, then Save.
note

The user must change the password on first login.

Next steps

  • Crawl SAP ECC: Follow the instructions to extract metadata from SAP ECC using the configured service user.