How to Configure Emails for Use in SAP Access Control

SAP Access Control utilizes the default SAP email engine for sending and receiving messages.


However, similar to SAP ERP and SAP S/4HANA, an external email infrastructure is required to set up the mail configuration. The figure below shows an overview of how SMTP within SAP communicates with the external SMTP server.


SAP SMTP Communication Channel with External SMTP


An external SMTP server acts as a SMTP server between SAP and the receiver. This server is the email server used to send emails. You can use the official SMTP server of your enterprise (i.e.,


Since SAP Access Control uses workflows, you must set up the email configuration.


We’ll cover the following high-level steps in greater detail in the following sections:

  1. Open the port for SMTP.
  1. Maintain the RZ10 profile parameters for the SMTP service or maintain it in Transaction SMICM.
  1. Create a system user for receiving emails.
  1. Configure the SMTP service.
  1. Configure the SMTP server and the outbound and inbound flows.
  1. Set up SMTP jobs. 

Opening a Simple Mail Transfer Protocol Port

SMTP is the basic standard that mail servers use to send email to one another across the Internet. SMTP email relies on domain names and Internet addresses to know where to send messages. However, these network addresses use specific port numbers. The first step in configuring the SMTP service is to open the port number. Your IT infrastructure team should be contacted to open the port and assign it to the SMTP service.


Maintaining RZ10 Profile Parameters for the Simple Mail Transfer Protocol Service

The ICM parameter for SMTP should be added to the RZ10 profile parameters by following these steps:

  1. Execute Transaction RZ10.
  1. Choose Instance profile from the available profiles and select the Extended maintenance radio button under Edit Profile, as shown in this figure. 

Profile Maintenance

  1. Click the New Entries button.
  1. Add an entry for SMTP. The parameter to be added is “icm/server_port_<no>” with value “PROT=SMTP, PORT=<port no which is opened for SMTP>, TIMEOUT=<time out value>, PROCTIMEOUT=<Process Timeout value>”. An example is shown below. 

ICM Configuration for an SMTP Port

  1. Click Save to save these changes to the instance profile.
  1. If prompted to activate the profile, click Yes, and the activation information screen will be displayed. 

Note: It is required to restart the SAP system to load the profile parameter values. As an alternative, to proceed with the configuration, the ports can be configured in the Transaction SMICM.


Creating a System User for Receiving Emails

For SMTP communication purposes, a dedicated ID is required. Create one user ID of the system type by following these steps:

  1. Execute Transaction SU01.
  1. Enter a user ID of the system type in the User field (e.g., “SMTPUSER”).
  1. Under the Profiles tab, assign the profile S_A.SCON from Transaction SU01, as shown below. 

SMTPUSER ID with Profile Assignment


Note: You may assign additional authorizations as required.

  1. Click the Save icon to save the user ID.
  1. Make sure all users in the SAP Access Control system have an email address assigned under the Address tab, as shown in this figure.3

Transaction SU01: Address Data Screen for a User


Configuring the Simple Mail Transfer Protocol Service

To configure the SMTP service, follow these steps:

  1. Execute Transaction SICF.
  1. Click the Services icon.
  1. Find the SAPconnect service, as shown in this figure. 

SAP Connect Service

  1. Right-click the SAPconnect service and choose Display SMTP host.
  1. Click the Edit button.
  1. Check that the virtual SMTP server is configured, as shown below.

Checking the SMTP Configuration under the Host Data Tab


Note: The value of the Profile Parameter No. field must be the same as the value maintained in RZ10 profile parameter IS/HTTP/VIRT_HOST_#.

  1. Click the Logon Data tab and maintain the Client, User, and Password fields, using the SMTPUSER ID created in the previous step, as shown in this figure.

Logon Data Maintenance

  1. Select the Handler List tab. In the Handler column, make sure that class CL_SMTP_EXT_ SAPCONNECT has been maintained, as shown below. 

SMTP Class Handler

  1. Click Save to save these changes and then right-click the SAPconnect service again and select Activate SMTP Host to activate the service, as shown in this figure.

Activation of SMTP Host from Transaction SICF 


Configuring the Simple Mail Transfer Protocol Server Inbound/Outbound Flow

Once the SICF service is activated successfully, the next step is to configure the SMTP server and outbound and inbound flow by following these steps:

  1. Log on to SAP Access Control system.
  1. Execute Transaction SCOT.
  1. Click Settings _ Default domain or press (Ctrl)+(Shift)+(F9) to set the default domain, as shown in the below figure. 

Default Domain Maintenance


Note: Ensure that the domain maintained on this screen matches the email domain of the users (as maintained in Transaction SU01, under the Address tab).

  1. Click OK.
  1. Set up the outgoing SMTP server, as shown in the next figure. Enter “SMTP” in the Node field, provide a description, and maintain the Mail Host and Mail Post fields. Click OK. 

Note: The Mail Host and Mail Port fields must be maintained.


SMTP Outgoing Configuration

  1. Select the Internet checkbox and click the Set icon to set the address type.
  1. In the address areas, insert the valid format of email addresses. When you enter “*” the node will accept every email address. 

Setting Up Simple Mail Transfer Protocol Jobs

Now, the node is configured to accept outgoing emails. What is missing is a job that picks up the emails from the outgoing queue and sends them.


To create a job that will send the queued messages, follow these steps:

  1. Click the Job menu and choose Create or press (Ctrl)+(F8).
  1. Enter the Job name and click OK.
  1. Select SAP&CONNECTALL or SAP&CONNECTINT for sending internet email.
  1. Click Start immediately to start the job to run immediately. Alternatively, the job can be scheduled to run at defined intervals. Click the Schedule button and schedule a job. The recommended interval is 1 minute.

Editor’s note: This post has been adapted from a section of the book SAP Access Control: The Comprehensive Guide by Raghu Boddu.


SAP Access Control: The Comprehensive Guide
SAP Access Control: The Comprehensive Guide

Manage on-premise user access with this comprehensive guide to SAP Access Control. Begin with step-by-step installation and configuration instructions. Then implement key SAP Access Control modules, including access risk analysis, emergency access management, and access request management. Learn to manage business roles, review user access, evaluate segregation of duties risks, and configure automation workflows. This is your all-in-one guide to SAP Access Control!

Learn More

SAP PRESS is the world's leading SAP publisher, with books on ABAP, SAP S/4HANA, SAP CX, intelligent technologies, SAP Business Technology Platform, and more!