OAuth configuration 3 – Add authorization S_SCOPE to OAuth 2.0 client user

Published by Tobias Hofmann on

1 min read

SAP Help

The client user was created in the previous step. With this, the OAuth client app can log on to Gateway. In theory, this could be enough to allow access to the Gateway service. The client could now send an access token and its client secret to be authorized. As this is not secure enough, the client must not only authenticate itself (UIDPW or X509) but must also have the authorization to access the service with the given scope and client id.

The authorization object S_SCOPE is used for this. To enable the OAuth client user to act as an OAuth client, you must assign and configure the authorization object S_SCOPE. This is done by creating a new role, add S_SCOPE and assign the role to the user.

Create new role: ZOAUTHUSER


Create single role

Go to tab Authorization (confirm save role if needed)

Add and configure authorization object S_SCOPE

Select Change Authorization Data

A popup appears asking to select a template. Click on “Do not select templates” to cancel the popup.

Go to menu Utilities and select “Settings…”

Check “Show Technical Names”

S_SCOPE configuration

This adds the S_SCOPE authorization object.

Both the client and scope need to be configured.


Click the edit icon. A dialog will be shown:

In the field from, enter the OAuth client id: oidclient and save the change.


Click on the edit icon the configure the scope.



After adding S_SCOPE and configuring the OAuth client and scope, click on generate.


The authorization profile is now generated.

Assign user to profile

Go to tab users. Add user oidclient.

Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.