Firstly, let me explain the common customer scenario using the old (mySAP 2.0) Adapter (NOTE - points in red and green below highlight the similarities/differences in configuration):
Now, here's what the user would do when using the new WCF SAPBinding.
As you can see, the SAPBinding requires a more privileged account, since it is doing something extra as compared to the older adapter.You can get it to work with a low privileged account, by making it do the same thing as the older adapter. Here's how:
Yay! Its working now!
However, note that in configurations where you set ReceiveIdocFormat to String and then use the FlatFile Pipeline component to convert the FlatFile IDoc to a strongly typed XML, such configurations won't work when you are receiving IDocs containing multi-byte characters, from non-Unicode systems. (Why? That's a different (and really long) blog post altogether. It has to do with limitations in the RFC SDK Unicode Library.)
Hence, we recommend, that as far as possible, you set ReceiveIdocFormat to Typed in your runtime configuration, which makes the Adapter hand out the IDoc as a strongly-typed XML, without requiring the FlatFile Pipeline Component.
As for the extra permissions required in order to call IDOCTYPE_READ_COMPLETE, the authorization object required is:
Authorisation object S_IDOCDEFT. Fields:EDI_TCD, value 'WE30'ACTVT, value - 03EDI_DOC, value * (or the specific IDOCTYP)EDI_CIM, value * (or the specific Extension)