Permissions

The table below lists the required K2 permissions and System permissions per K2 connect for SAP tasks.

Task	K2 Permissions	System Permissions	Comments
Install	K2 Service Account	db_owner, SysAdmin	The K2 Service Account must be part of the Local Administrators group. Two folders are written to by the server and require write permissions: C:\Program Files\K2 connect\Configuration C:\Program Files\K2 connect\Service The system permissions can be changed to reader/write after the installation is complete.
Developer	Domain Account, Cached credentials in K2 Workspace		Read and Write Access must be granted to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\SourceCode\ connect\Configuration\SqlConnectionString
Database Rights for K2 connect Server		db_owner, Create
K2 Server Rights on K2 connect database	db_datareader
Developer connecting to K2 connect database using Visual Studio		Execute	SelectServersAll FrameworkConfigurationSelectedByServerID ClusterServersSelectAssigned DeveloperConfigurationSelectByHostID DeveloperFunctionFilterSelectByHostID ConnectorsSelectedByHostID ClusterServersSelectedHostID DestinationClassesSelectedByConnectorID ComponentTemplateSelectByHostID DestinationClassesSelectByConnectorID ApplicationServersSelectByHostID DestinationsSelectByDestinationClassID DestinationSettingsSelectByDestinationID ConnectorsMetaDataSelect iNetCoordinatorsSelectByHostID DestinationsSelect DestinationClassesSelect ConnectorsSelect DeveloperFunctionFilterInsert
Access to SAP			Setting permissions and access to SAP is the role of the SAP Administrator and not a K2 connect function. Contact your SAP Administrator.
Stop or Start K2 connect Server		Stop and Start rights on Windows Services	In distributed environments, developers must have stop and start rights on the remote server.

SAP User Types and Permissions

SAP has several user types available and each is used for a different purpose, more information is available at http://help.sap.com/saphelp_nw70ehp2/helpdata/en/3d/3272396ace5534e10000000a11405a/frameset.htm. Two of these user types can be used with K2 connect, either the Dialog or Communication user type. Below is a summary of the tasks to the related permissions.

Task	General Authority Objects
To establish a connection.	S_RFC RFC_TYPE=FUGR ;RFC_NAME=SYST ;ACTVT=16 ; S_RFC RFC_TYPE=FUGR ;RFC_NAME=RFC1 ;ACTVT=16 ;
	Transaction
Use Transaction Class	S_RFC RFC_TYPE=FUGR ;RFC_NAME=SDTX ;ACTVT=16 ; S_RFC RFC_TYPE=FUGR ;RFC_NAME=SDIFRUNTIME ;ACTVT=16 ; S_ADMI_FCD S_ADMI_FCD=NADM;
	Tables
Read Tables from SAP	S_RFC RC=0 RFC_TYPE=FUGR ;RFC_NAME=SDTX ;ACTVT=16 ; S_TABU_DIS RC=0 RFC_TYPE=FUGR ;RFC_NAME=SDIFRUNTIME ;ACTVT=16 ; S_ADMI_FCD S_ADMI_FCD=NADM;
Look up tables and table meta data	S_RFC RFC_TYPE=FUGR ;RFC_NAME=SDTX ;ACTVT=16 ; S_RFC RFC_TYPE=FUGR ;RFC_NAME=SDIFRUNTIME ;ACTVT=16 ; S_TABU_DIS ACTVT=03 ;DICBERCLS=&NC& ;
Separate authority check for each table to read	S_RFC C RFC_TYPE=FUGR ;RFC_NAME=SDTX ;ACTVT=16 ; S_RFC C RFC_TYPE=FUGR ;RFC_NAME=SDIFRUNTIME ;ACTVT=16; S_TABU_DIS ACTVT=03 ;DICBERCLS=XXXX ; S_TABU_NAM ACTVT = 03; TABLE = DD02V Where XXXX is the Authority Group for the table. To find out which authority group belongs to which table, look at table TDDAT (e.g. with SE16). If the table is not listed there, the authority group is &NC&. For authorizing specific tables use authorization object S_TABU_NAM instead of S_TABU_DIS.
Custom functions	If Custom functions like Z_XTRACT_IS_TABLE_COMPRESSION, Z_XTRACT_IS_TABLE or Z_XTRACT_IS_TABLE_JOIN are used, then use: S_RFC C RFC_TYPE=FUGR ;RFC_NAME=XXXX ;ACTVT=16 ; Where XXXX is the name of the function group where the custom function module is located.