You want to execute a service on Integration Server that retrieves sales order data from an SAP system. This service is protected by an ACL. Integration Server user ‘Sales' is registered in this ACL and allowed to execute the service. If you map the certificate to the user ‘Sales', your SAP user can also execute the service. In addition, the SAP user must be authorized to execute the function modules of the corresponding function group.

To restrict the rights of the SAP logon users you should create specific user accounts in the SAP system with the minimum necessary set of authorizations. If for instance Adapter for SAP is used as a pure RFC-Server, it will only perform very few function callbacks to the calling SAP system. These callbacks are needed to determine the function interface specification. To allow for this it is sufficient to use an SAP logon user with the authorization to the following SAP standard function groups: RFC1, SDIF, SG00, SRFC.

If this user shall be used to call other application interfaces as well you need to add the respective function groups to the authorization list. Add this authorization to the standard authorization object 'S_RFC' and create an authorization profile which only contains this authorization. When creating the SAP user you can then assign this profile to it. For more details on authorization for SAP users please refer to the SAP documentation.