In order to verify that the SAP user is granted all the necessary permissions, check the following. Using a browser, navigate to the SAP ODATA service URL like http(s)://your-solman-host:port/sap/opu/odata/sap/AI_SYSMON_OVERVIEW_SRV/SystemListSet?$format=xml - the browser will prompt for username/password (HTTP basic auth). Use the SAP user that is supposed to be used in Splunk. In case if you see a valid XML response starting with <feed ...> tag, then the permissions are correct. In case if you get HTTP 403 Forbidden, then the permissions are incorrect and additional configuration is required on SAP side.
The most straightforward way to get started in a DEV environment is to assign SAP_ALL role to the user within SAP. However, this is a security risk since this grants all SAP capabilities (not just the ones related to ODATA service access). So this approach must not be used for production.
For production setup, check the fine grained authorization object setup Authorization Objects Overview. Also check section Front-End Server and Back-End Server: Assign OData Service Authorizations to Users in App Implementation: Monitor Systems
In case if for some reason the user still can not access the ODATA service, use the SU53 transaction on SAP side to troubleshoot the failed authorization check.
... View more