Create users for SAP connection
Before you start doing any extraction and automation action in SAP, you must create an SAP user and equip them with the permissions necessary to perform extraction and automation tasks.
Creating users for SAP connection is a step in connecting your SAP instance with Celonis Platform. Check the overview of this process, see Continuous extraction, to make sure you completed other necessary steps.
To create a user for SAP connection:
In your SAP instance, call the User Maintenance (SU01) transaction to create a user:
Enter the user name.
Set the user type to System User.
Set the password.
Give your users the necessary role:
From the Download Portal in Celonis Platform, download the extraction role file (yyyy.mm.dd_CELONIS_EXTRACTION.SAP).
Note
The CELONIS_EXTRACTION.SAP file contains pre-built user permissions necessary for the data extraction from SAP. For automation actions with SAP, you must manually add user permission. For the list of required permissions, see SAP User Role CELONIS/AUTOMATION_BASIS.
In SAP, call the PFCG transaction to add or create the role with the necessary permissions.
Go to Role > Upload.
Upload the role you downloaded in previous steps.
Your user SAP user is created. You can start creating your SAP connections in Celonis Platform.
For data extraction, you can do it in the Data Integration area. See Connect with SAP for data extraction.
For automations, create your connection between SAP and Automation client in Studio or through the Admin and Settings area. See Creating on-prem system connections
SAP CELONIS_EXTRACTION role
The following describes in detail what the SAP CELONIS_EXTRACTION role contains and why the authorizations are necessary along with customization options
Cross-application Authorization Objects
Authorization Check for RFC Access - So the Extractor can remotely access the functions in the RFC module
Object | Field | Activities/Values |
|---|---|---|
S_RFC | ACTVT | 16 |
S_RFC | RFC_NAME | /CELONIS/46C_EXTRACTION, /CELONIS/CL_EXTRACTION, /CELONIS/EXTRACTION, /CELONIS/V2_CL_EXTRACTION, /CELONIS/V2_EXTRACTION, RFC1, SDIFRUNTIME, SDTX, SRFC, SYST, SYSU |
S_RFC | RFC_TYPE | FUGR |
Basis: Administration
Background Processing: Operations on Background Jobs - So the RFC module can immediately run the extractions as background jobs
Object | Field | Activities/Values |
|---|---|---|
S_BTCH_JOB | JOBACTION | RELE |
S_BTCH_JOB | JOBGROUP | * |
Authorization for file access - So the RFC module can write, read, and delete files in the physical path defined for the logical path 'Z_CELONIS_TARGET'
Object | Field | Activities/Values |
|---|---|---|
S_DATASET | ACTVT | 06, 33, 34 |
S_DATASET | FILENAME | * |
S_DATASET | PROGRAM | /CELONIS/* |
Note
You can replace the '*' in 'FILENAME' with the physical path you have chosen for Z_CELONIS_TARGET, e.g. /<YOUR_PATH>/*
Table Maintenance (via standard tools such as SM30) - So the RFC module can extract data from tables
Object | Field | Activities/Values |
|---|---|---|
S_TABU_DIS | ACTVT | 03 |
S_TABU_DIS | DICBERCLS | * |
Note
You can replace the '*' in 'DICBERCLS' with the authorisation group of tables you will be extracting.
Alternatively, If you need to control access to individual tables instead to groups of tables, you can use authorisation object S_TABU_NAM.
Important: When using the Real-Time Extractor, the Changelog tables (ZCL...) should also be allow listed.
Basis - Development Environment - Generic Program Start
Object | Field | Activities/ Values |
|---|---|---|
S_PROGNAM | P_ACTION | BTCSUBMIT |
S_PROGNAM | P_PROGNAM | /CELONIS/RP_BG_EXTRACT |
Basis - Central Functions- Applications log
Object | Field | Activities/ Values |
|---|---|---|
S_APPL_LOG | ALG_OBJECT | /CELONIS/ |
S_APPL_LOG | ALG_SUBOBJ | * |
S_APPL_LOG | ACTVT | 06 |