Permissions required for installing the required transports
Replicate for SAP delivers its own authorization object: ZR4SAP
. In addition to this authorization object, there are additional authorizations that need to be enabled for the Data Movement gateway software.
SAP users for Data Movement gateway for SAP Extractors
A dialog user in SAP is required to access the Data Movement gateway for SAP Extractor GUI in SAP. In addition, a communication user is required to support the RFC calls from the Data Movement gateway software to the SAP system.
Identify existing users in SAP or create dedicated users for the Data Movement gateway software.
Data Movement gateway for SAP delivers its own authorization object: /QTQVC/RAO.
The authorization object /QTQVC/RAO can be turned on to enable/disable specific authorizations below according to the needs of the Data Movement gateway user:
Authorizations for Data Movement gateway for SAP Extractors
The SAP system needs to be open to create the logical system. This is done using SAP Transaction /nSCC4.
Make sure the Changes and Transports for Client-Specific Objects for the Source Client is set to Automatic Recording of Changes or Changes without Automatic Recording.
All clients need to be opened for Cross-Client Object Changes. Creating a Logical Client is a cross-client change that cannot be captured in a transport. It only needs to be open for a minute when the target logical system is created.
Make sure the Transaction /nSE06 System Change Option > Global Setting is set to Modifiable (During Logical System creation and activation of Extractors).
Administration User
SAP Authorizations for Administrator Role for initial setup of the logical system and activation of the extractors within /QTQVC/EXTREP.
Authorizations required for Administrator:
Creating the RFC.
Instead of *, RFCDEST can have the name of the logical system, which is completely configurable to the customer’s preference.
Creating the IDocs for sending to Replicate.
Creating the ZQLIK* programs and tables during activation of the extractors.
Maintaining table information during activation and table updates.
Access to tables to check data and update as needed.
Adding ZQLIK*-created tables to a transport.
Administering transports.
RFC Communications User
This user is needed to be used when setting up the SAP for Extractors endpoint in Replicate. It can be set as a COM user as there is no need for dialog access. Optionally you can create one dialog user ID with both the Communication user and Administration user access.
Authorizations required for RFC Communications User and Administration User:
Sending and receiving of IDocs via RFC connection to Replicate.
Access to the RFC communication protocol for the connection to Replicate.
Access to the main QTQVC transactions and security checks.
Access for trace features for the SQL functionality.
Executing the datasources during run time to extract the data from SAP.
Administrating jobs in the background as scheduled by Replicate.
Processing jobs in the background as scheduled by Replicate.
Sending internal SAP messages during the extract process.
Executing functions inside the /QTQVC/* namespace to support the SQL functionality.
Viewing tables inside the /QTQVC/* namespace to support the SQL functionality.
Program authorization for Qlik programs.
SQL Connector Authorizations
Qlik provides two roles that contain the necessary authorizations. You can assign different roles to different users, depending on need, or both roles can be assigned to one user.
- The QTQVCADMIN role is required for users who perform Qlik transactions in the SAP GUI.
- The QTQVCACCESS role is used by a connector back-end user who performs extraction jobs from Qlik.
For information on adding and testing these permissions, see SAP SQL Connector user configuration.