What causes DF-SAPODP-NoAuthForFunctionModule?

The SAP user account lacks the S_RFC authorization object for the specific function module called by the ODP connector. A recent SAP security hardening or role change removed RFC execution permissions from the ADF user. The SAP role assigned to the ADF user was designed for dialog access but not for RFC/background execution. The ODP-specific function groups (RODPS_*) are not included in the user's authorization profile

How do I fix DF-SAPODP-NoAuthForFunctionModule?

Ask the SAP Basis team to run transaction SU53 immediately after a failed ADF pipeline run — this shows the last failed authorization check for the ADF user, including the exact function module and authorization object.. The SAP user needs S_RFC authorization with ACTVT=16 (Execute) and RFC_NAME matching the ODP function groups (RODPS_REPL, RODPS_OS, and related groups).. Have the SAP Basis team add the missing authorization to the user's role and run a profile generation in transaction SU01 or PFCG.. After the role is updated, retry the pipeline — no restart of ADF or the IR is required for authorization changes.. If the error persists after the role update, check SU53 again to see if there is a second missing authorization.

Medium severitydata source

Power BI Refresh Error:
DF-SAPODP-NoAuthForFunctionModule

What does this error mean?

The SAP user account used by the ADF linked service does not have authorization to execute the RFC function module that the ODP connector calls to initiate data extraction.

Common causes

1The SAP user account lacks the S_RFC authorization object for the specific function module called by the ODP connector
2A recent SAP security hardening or role change removed RFC execution permissions from the ADF user
3The SAP role assigned to the ADF user was designed for dialog access but not for RFC/background execution
4The ODP-specific function groups (RODPS_*) are not included in the user's authorization profile

How to fix it

1Ask the SAP Basis team to run transaction SU53 immediately after a failed ADF pipeline run — this shows the last failed authorization check for the ADF user, including the exact function module and authorization object.
2The SAP user needs S_RFC authorization with ACTVT=16 (Execute) and RFC_NAME matching the ODP function groups (RODPS_REPL, RODPS_OS, and related groups).
3Have the SAP Basis team add the missing authorization to the user's role and run a profile generation in transaction SU01 or PFCG.
4After the role is updated, retry the pipeline — no restart of ADF or the IR is required for authorization changes.
5If the error persists after the role update, check SU53 again to see if there is a second missing authorization.

Frequently asked questions

What authorization objects does the ADF SAP ODP user need?

Required objects: S_RFC with ACTVT=16 for ODP function groups (RODPS_REPL, RODPS_OS); S_BSKEY for BW DataSources; plus extractor-specific objects. Run SU53 after a failed run to see the exact missing authorization.

How is this different from AuthInvalid?

AuthInvalid means the credentials were rejected — the user could not log in. NoAuthForFunctionModule means the user logged in but lacks authorization for a specific RFC function module. The problem is authorization, not authentication.

Can I use SU53 to diagnose this without waiting for the next ADF run?

SU53 shows the last failed authorization check for a user — it only updates on failure. Trigger a failed ADF run first, then immediately check SU53 for the ADF user account in SAP.

Will downstream Power BI datasets be affected?

Yes — every run fails without loading data. The dependent dataset will show stale data that grows more out of date with each missed run.

Official documentation: https://learn.microsoft.com/en-us/azure/data-factory/data-flow-troubleshoot-guide