Configure roles and authorizations for the OAuth user

Release version: Australia

Updated May 12, 2026

1 minute to read

Create a role in SAP and assign the required authorization objects to the OAuth system user to support OData service access and background job execution for integration with the Software Asset Management application.

Before you begin

The OAuth client must be configured in SAP before assigning roles to the OAuth user. See Configure an OAuth client in SAP.

SAP Role required: SAP Basis administrator

About this task

Use transaction code PFCG to create a role and assign the authorization objects that grant the OAuth user access to OData services, background job scheduling, and OAuth scope management.

Procedure

Open transaction code PFCG in your SAP system.
Enter a role name in the Role field and select Create Single Role.
For example, OAUTH_ROLE.
Add authorization object S_SERVICE and select the external service name TADIR Service in the Type field.
Add authorization object S_BTCH_ADM and select the N (No Administrator Authorization) option in the Activities field.
Add authorization object S_BTCH_JOB, select RELE (Release Jobs) in the Activities field, and leave the JOBGROUP field empty.
Add authorization object S_SCOPE and enter * in the Activities field.
Add authorization object S_PROGNAM and the following values in the corresponding fields.
- P_ACTION — BTCSUBMIT
- P_PROGNAM — /NOW/SAMP_USER_PROG_BCKJOB_RUN
Save the role and assign it to the OAuth system user.
For example, OAUTH_USER.

Result

The OAuth user has the required authorizations to access OData services, run background jobs, and manage OAuth scopes for the integration.

What to do next

Create an OAuth 2.0 SAP connection on your ServiceNow instance. For more information, see Establish an SAP connection using OAuth 2.0.