Skip to main content

Create users for SAP connection

Before you start doing any extraction and automation action in SAP, you must create an SAP user and equip them with the permissions necessary to perform extraction and automation tasks.

Creating users for SAP connection is a step in connecting your SAP instance with Celonis Platform. Check the overview of this process, see Continuous extraction, to make sure you completed other necessary steps.

To create a user for SAP connection:

  1. In your SAP instance, call the User Maintenance (SU01) transaction to create a user:

    1. Enter the user name.

    2. Set the user type to System User.

    3. Set the password.

  2. Give your users the necessary role:

    1. From the Download Portal in Celonis Platform, download the extraction role file (yyyy.mm.dd_CELONIS_EXTRACTION.SAP).

      Note

      The CELONIS_EXTRACTION.SAP file contains pre-built user permissions necessary for the data extraction from SAP. For automation actions with SAP, you must manually add user permission. For the list of required permissions, see SAP User Role CELONIS/AUTOMATION_BASIS.

    2. In SAP, call the PFCG transaction to add or create the role with the necessary permissions.

    3. Go to Role > Upload.

    4. Upload the role you downloaded in previous steps.

    Your user SAP user is created. You can start creating your SAP connections in Celonis Platform.

    For data extraction, you can do it in the Data Integration area. See Connect with SAP for data extraction.

    For automations, create your connection between SAP and Automation client in Studio or through the Admin and Settings area. See Creating on-prem system connections

SAP CELONIS_EXTRACTION role

The following describes in detail what the SAP CELONIS_EXTRACTION role contains and why the authorizations are necessary along with customization options

Cross-application Authorization Objects

Authorization Check for RFC Access - So the Extractor can remotely access the functions in the RFC module

Object

Field

Activities/Values

S_RFC

ACTVT

16

S_RFC

RFC_NAME

/CELONIS/46C_EXTRACTION, /CELONIS/CL_EXTRACTION, /CELONIS/EXTRACTION, /CELONIS/V2_CL_EXTRACTION, /CELONIS/V2_EXTRACTION, RFC1, SDIFRUNTIME, SDTX, SRFC, SYST, SYSU

S_RFC

RFC_TYPE

FUGR

Basis: Administration

Background Processing: Operations on Background Jobs - So the RFC module can immediately run the extractions as background jobs

Object

Field

Activities/Values

S_BTCH_JOB

JOBACTION

RELE

S_BTCH_JOB

JOBGROUP

*

Authorization for file access - So the RFC module can write, read, and delete files in the physical path defined for the logical path 'Z_CELONIS_TARGET'

Object

Field

Activities/Values

S_DATASET

ACTVT

06, 33, 34

S_DATASET

FILENAME

*

S_DATASET

PROGRAM

/CELONIS/*

Note

You can replace the '*' in 'FILENAME' with the physical path you have chosen for Z_CELONIS_TARGET, e.g. /<YOUR_PATH>/*

Table Maintenance (via standard tools such as SM30) - So the RFC module can extract data from tables

Object

Field

Activities/Values

S_TABU_DIS

ACTVT

03

S_TABU_DIS

DICBERCLS

*

Note

You can replace the '*' in 'DICBERCLS' with the authorisation group of tables you will be extracting.

Alternatively, If you need to control access to individual tables instead to groups of tables, you can use authorisation object S_TABU_NAM.

Important: When using the Real-Time Extractor, the Changelog tables (ZCL...) should also be allow listed.

Basis - Development Environment - Generic Program Start

Object

Field

Activities/ Values

S_PROGNAM

P_ACTION

BTCSUBMIT

S_PROGNAM

P_PROGNAM

/CELONIS/RP_BG_EXTRACT

Basis - Central Functions- Applications log

Object

Field

Activities/ Values

S_APPL_LOG

ALG_OBJECT

/CELONIS/

S_APPL_LOG

ALG_SUBOBJ

*

S_APPL_LOG

ACTVT

06