Question & Answer
Question
What are the authorization requirements and security best practices for the Pack for SAP BW?
Answer
Contents
The SAP Pack authorization role templates
Mapping the SAP authorizations to development, test, and production environments
Stage-specific authorization details
BW Open Hub Extract Stage
BW Load Stage
BW 7.x Load Stage
Version 4.3.3.1 updates to authorization requirements
Introduction
In projects where InfoSphere Information Server is used for data exchange with SAP, one or more technical SAP user accounts is needed for the DataStage® jobs to connect to the SAP system. Therefore, the ETL development team needs to work with the SAP basis administrator to obtain user IDs for the SAP system with the appropriate permissions.
All user accounts and authorizations in SAP are maintained separately for each SAP client. An SAP client is an isolated partition of the system identified by a three-digit number. All DataStage SAP connections operate on a given client, so all authorization rules need to be applied to the correct SAP client as well.
User accounts in SAP are managed using the transaction su01. Figure 1 shows an example user properties view. In addition to assigning basic properties like the user name and password, you can also use this transaction to assign the authorizations.
Figure 1. Authorization roles assigned to an SAP user
The authorization role templates
The Pack requires different authorizations depending on the stages you intend to use. These need to be configured appropriately by an SAP basis administrator. Appropriate authorization role templates are provided with the SAP Pack. The role templates are made available as transport request files that can be directly imported into an SAP system.
The authorization roles provided with the Pack are composed of standard SAP authorizations where possible, but also contain authorizations specifically configured for the use with the Pack.
The authorization roles provided with the Pack are as follows:
- Z-DS-ADM-ALL
- Z-DS-DESIGN-ALL
- Z-DS-DESIGN-BWEXTRACT
- Z-DS-DESIGN-BWLOAD
- Z-DS-DESIGN-BWLOAD7X
- Z-DS-RUNTIME-ALL
- Z-DS-RUNTIME-BWEXTRACT
- Z-DS-RUNTIME-BWLOAD
- Z-DS-RUNTIME-BWLOAD7X
Notes:
- Z-DS-ADM-ALL is the composite role that includes all sub-roles for the design-time and the runtime authorizations.
- Z-DS-DESIGN-ALL is the composite design-time role that contains all sub-roles needed to create SAP BW Pack jobs. It can be used in a development environment where tasks like job design are performed.
- Z-DS-RUNTIME-ALL is the composite runtime role that contains only the sub-roles needed to run SAP BW Pack jobs. It is more restrictive and can be used in a production environment where only activities needed during the actual job run should be allowed.
Installing the SAP transport files
For instructions on how to install the SAP transport request files containing the authorization roles, refer to technote 2007064.
Mapping the SAP authorizations to development, test, and production environments
On the development SAP system, DataStage jobs are designed and unit-tested. To perform these tasks, the technical SAP user needs design-time as well as runtime privileges for the stages to be used in the jobs to be developed.
The testing environment should simulate the production environment. On this system, the technical SAP user should be assigned only the runtime authorizations needed for the stages used in jobs that are to run in the production environment.
In the production environment, the most restrictive security policies are usually in place. As a result, only the absolutely necessary privileges should be granted to the technical SAP user, which means only the runtime authorizations needed for the stages used in the jobs running in production.
Detailed information on the different authorizations needed for each stage type at design and runtime can be found in the stage-specific sections below.
Stage-specific authorization details
The following sections contain information on the specific authorizations needed for each stage, depending on the respective phase in the life cycle of the DataStage job. Use it as a reference for the predefined roles provided with the SAP Pack or as a guide for customizing authorization roles according to your needs.
Use SAP transaction PFCG to create or modify an authorization role or to adjust the imported authorization roles.
BW Open Hub Extract Stage
Role Z-DS-DESIGN-BWEXTRACT
The BW Open Hub Extract stage authorizations for designing jobs are shown in Table 1.
Table 1. BW Open Hub Extract stage authorizations for designing jobs
| Authorizations for BW EXTRACT (DESIGN TIME) | ||||
| Authorization Class | Authorization object | Authorization Object Description | Authorization values | |
| AAAB | S_RFC_ADM | Administration for RFC Destination | ACTVT | 01 |
| ICF_VALUE | * | |||
| RFCDEST | * | |||
| RFCTYPE | T | |||
| S_RFC | Authorization Check for RFC Access | ACTVT | 16 | |
| RFC_NAME | * | |||
| RFC_TYPE | FUGR | |||
| BC_A | S_ADMI_FCD | System Authorizations | S_ADMI_FCD | PADM |
| BC_Z | S_IDOCDEFT | WFEDI: S_IDOCDEFT - Access to IDoc Development | ACTVT | 01, 03 |
| EDI_CIM | * | |||
| EDI_DOC | * | |||
| EDI_TCD | WE30 | |||
| RS | S_RS_ADMWB | Data Warehousing Workbench - Objects | ACTVT | 03, 23 |
| RSADMWBOBJ | INFOOBJECT, INFOPACKAG, SOURCESYS, WORKBENCH | |||
| S_RS_DTP | Data Warehousing Workbench - Data Transfer Process | ACTVT | * | |
| RSONDTPSRC | * | |||
| RSONDTPTGT | * | |||
| RSSTDTPSRC | * | |||
| RSSTDTPTGT | * | |||
| RSTLDTPSRC | * | |||
| RSTLDTPTGT | DEST | |||
| S_RS_OHDST | Data Warehousing Workbench - Open Hub Destination | ACTVT | 23 | |
| RSOHDEST | * | |||
| RSOHDTPART | DEFINITION | |||
| RSOHLOGSYS | * | |||
| S_RS_PC | Data Warehousing Workbench - Process Chains | ACTVT | 03 | |
| RSPCAPPLNM | * | |||
| RSPCCHAIN | * | |||
| RSPCPART | * | |||
| S_RS_TR | Data Warehousing Workbench - Transformation | ACTVT | * | |
| RSOBJNMSRC | * | |||
| RSOBJNMTGT | * | |||
| RSSTTRSRC | * | |||
| RSSTTRTGT | * | |||
| RSTLOGOSRC | IOBJ, ISFS, RSDS, TRCS | |||
| RSTLOGOTGT | DEST | |||
Notes:
- S_RFC_ADM: This authorization is only needed to create RFC destinations. And RFC Destination is created when we create source system.
- S_IDOCDEFT: This authorization is required to activate the source system.
- S_RS_ADMWB: This authorization object is used to provide the access of Data Warehousing Workbench Objects like INFOOBJECT, INFOPACKAGE, SOURCESYSTEM
- S_RS_OHDST: With this authorization object, SAP user can access Open Hub Destination or Info spoke.
Role Z-DS-RUNTIME-BWEXTRACT
The BW Open Hub Extract Stage authorizations for running jobs are shown in Table 2.
Table 2. BW Open Hub Extract Stage authorizations for running jobs
| Authorizations for BW EXTRACT (RUNTIME) | ||||
| Authorization Class | Authorization object | Authorization Object Description | Authorization values | |
| AAAB | S_RFC | Authorization Check for RFC Access | ACTVT | 16 |
| RFC_NAME | RFC1, RSB3RD, RSPC, SDIFRUNTIME, SDTX, SYST,RSPC_API | |||
| RFC_TYPE | FUGR | |||
| S_TCODE(only for BW 3.5) | Transaction Code Check at Transaction Start | Transaction Code | RSBO_EXTRACT | |
| BC_A | S_ADMI_FCD | System Authorizations | S_ADMI_FCD | PADM |
| S_BTCH_ADM | Background Processing: Background Administrator | BTCADMI | * | |
| S_BTCH_JOB | Background Processing: Operations on Background Jobs | JOBACTION | * | |
| JOBGROUP | * | |||
| S_TABU_DIS | Table Maintenance (via standard tools such as SM30) | ACTVT | 03 | |
| DICBERCLS | SS | |||
| RS | S_RS_DTP | Data Warehousing Workbench - Data Transfer Process | ACTVT | * |
| RSONDTPSRC | * | |||
| RSONDTPTGT | * | |||
| RSSTDTPSRC | * | |||
| RSSTDTPTGT | * | |||
| RSTLDTPSRC | * | |||
| RSTLDTPTGT | * | |||
| S_RS_PC | Data Warehousing Workbench - Process Chains | ACTVT | 03, 16, 23 | |
| RSPCAPPLNM | * | |||
| RSPCCHAIN | * | |||
| RSPCPART | * | |||
| S_RS_TR | Data Warehousing Workbench – Transformation | ACTVT | * | |
| RSOBJNMSRC | * | |||
| RSOBJNMTGT | * | |||
| RSSTTRSRC | * | |||
| RSSTTRTGT | * | |||
| RSTLOGOSRC | IOBJ, ISFS, RSDS, TRCS | |||
| RSTLOGOTGT | DEST | |||
| S_RS_IOMAD(only for BW 3.5) | Administrator Workbench - Maintain Master Data | Activity | * | |
| Application Component | * | |||
| InfoArea | * | |||
| InfoObject | * | |||
Notes:
- S_RFC: This authorization object is required to provide the access of calling some SAP Remote enabled function modules like ‘RSB_API_OHS_DEST_READ_DATA’.
- S_TCODE: This object is used to provide the authorization of T-code. This is required only for SAP BW 3.5 systems.
- S_ADMI_FCD: This authorization object is used to monitor the background job. It is used by API ‘RSPC_API_CHAIN_START’ to monitor the process chain.
- S_BTCH_ADM: This authorization object is used to manage the background jobs.
- S_BTCH_JOB: This authorization object is used to manage the background jobs.
- S_TABU_DIS: This authorization object is required for reading table contents (using RFC_READ_TABLE)
- S_RS_DTP: This authorization object is required to work with the data transfer process(DTP).
- S_RS_PC: This authorization object is required to work with the process chain.
- S_RS_TR: This authorization object is required to work with the transformations.
- S_RS_IOMAD: This authorization object is required for working with process chain and other objects. It is required only for SAP BW 3.5 systems as we don’t have S_RS_DTP, S_RS_PC, S_RS_TR in it.
BW Load Stage
Role Z-DS-DESIGN-BWLOAD
The BW Load stage authorizations for designing jobs are shown in Table 3.
Table 3. BW Load stage authorizations for designing jobs
| Authorizations for BW LOAD STAGE (DESIGN TIME) | ||||
| Authorization Class | Authorization object | Authorization Object Description | Authorization values | |
| AAAB | S_RFC_ADM | Administration for RFC Destination | ACTVT | 01 |
| ICF_VALUE | * | |||
| RFCDEST | * | |||
| RFCTYPE | * | |||
| S_RFC | Authorization Check for RFC Access | ACTVT | 16 | |
| RFC_NAME | * | |||
| RFC_TYPE | FUGR | |||
| BC_A | S_ADMI_FCD | System Authorizations | S_ADMI_FCD | PADM |
| BC_Z | S_IDOCDEFT | WFEDI: S_IDOCDEFT - Access to IDoc Development | ACTVT | 01,03 |
| EDI_CIM | * | |||
| EDI_DOC | * | |||
| EDI_TCD | WE30 | |||
| RS | S_RS_ADMWB | Data Warehousing Workbench - Objects | ACTVT | 03,23 |
| RSADMWBOBJ | INFOOBJECT, INFOPACKAG, SOURCESYS, WORKBENCH | |||
| S_RS_ISOUR | Data Warehousing Workbench - InfoSource (3.x, flex. update) | ACTVT | 03, 23, 49 | |
| RSAPPLNM | * | |||
| RSISOURCE | * | |||
| RSISRCOBJ | DEFINITION, INFOPACKAG, METADATA, TRNSFRRULE | |||
| S_RS_ISRCM | Data Warehousing Workbench - InfoSource (3.x, direct update) | ACTVT | 03, 23, 49 | |
| RSAPPLNM | * | |||
| RSISRCOBJ | DEFINITION, INFOPACKAG, METADATA, TRNSFRRULE | |||
| RSOSOURCE | * | |||
Notes:
- S_RS_ISOUR: This authorization object is required to work with the Info-source.
- S_RS_ISRCM: This authorization object is required to work with the Info-source.
- S_IDOCDEFT: This authorization is required to activate the source system.
Role Z-DS-RUNTIME-BWLOAD
The BW Load stage authorizations for running jobs are shown in Table 4.
Table 4. BW Load stage authorizations for running jobs
| Authorizations for BW LOAD STAGE (RUNTIME) | ||||
| Authorization Class | Authorization object | Authorization Object Description | Authorization values | |
| AAAB | S_RFC | Authorization Check for RFC Access | ACTVT | 16 |
| RFCNAME | * | |||
| RFCTYPE | FUGR | |||
| BC_A | S_TABU_DIS | Table Maintenance (via standard tools such as SM30) | ACTVT | 03 |
| DICBERCLS | SS | |||
| S_BTCH_JOB | Background Processing: Operations on Background Jobs | JOBACTION | RELE | |
| JOBGROUP | ' ' | |||
| S_ADMI_FCD | System Authorizations | S_ADMI_FCD | PADM | |
| RS | S_RS_ISOUR | Data Warehousing Workbench - InfoSource (3.x, flex. update) | ACTVT | 03, 23, 49 |
| RSAPPLNM | * | |||
| RSISOURCE | * | |||
| RSISRCOBJ | * | |||
| S_RS_ISRCM | Data Warehousing Workbench - InfoSource (3.x, direct update) | ACTVT | 03, 23, 49 | |
| RSAPPLNM | * | |||
| RSISRCOBJ | * | |||
| RSOSOURCE | * | |||
| S_RS_ADMWB | Data Warehousing Workbench - Objects | ACTVT | 03, 23 | |
| RSADMWBOBJ | INFOOBJECT, INFOPACKAG, SOURCESYS | |||
Notes:
- S_TABU_DIS: This authorization object is required for reading table contents (using RFC_READ_TABLE)
BW 7.x Load Stage
Role Z-DS-DESIGN-BWLOAD7X
This role is intended for the design of BW 7.x Load jobs. The authorizations are shown in Table 5.
Table 5. BW load 7x stage authorizations for designing jobs
| Authorizations for BW 7.X LOAD STAGE (DESIGN TIME) | ||||
| Authorization Class | Authorization object | Authorization Object Description | Authorization values | |
| AAAB | S_RFC_ADM | Administration for RFC Destination | ACTVT | 01 |
| ICF_VALUE | * | |||
| RFCDEST | * | |||
| RFCTYPE | * | |||
| S_RFC | Authorization Check for RFC Address | ACTVT | 16 | |
| RFC_NAME | * | |||
| RFC_TYPE | FUGR | |||
| BC_A | S_ADMI_FCD | System Authorizations | S_ADMI_FCD | PADM |
| BC_Z | S_IDOCDEFT | WFEDI: S_IDOCDEFT - Access to IDoc Development | ACTVT | 01, 03 |
| RS | S_RS_ADMWB | Data Warehousing Workbench - Objects | EDI_CIM | * |
| EDI_DOC | * | |||
| EDI_TCD | WE30 | |||
| ACTVT | 03, 23 | |||
| RSADMWBOBJ | INFOOBJECT, INFOPACKAG, SOURCESYS, WORKBENCH | |||
| S_RS_DS | Data Warehousing Workbench - DataSource | ACTVT | 03, 23 | |
| RSDS | * | |||
| RSDSPART | DEFINITION, INFOPACKAG | |||
| RSLOGSYS | * | |||
Notes:
- S_RS_DS: This authorization object is required to work with the Data-source.
- S_IDOCDEFT: This authorization is required to activate the source system.
Role Z-DS-RUNTIME-BWLOAD7X
This role is intended for running BW Load 7x jobs.
Table 6. BW Load 7x stage authorizations for running jobs
| Authorizations for BW 7.X LOAD STAGE (RUNTIME) | ||||
| Authorization Class | Authorization object | Authorization Object Description | Authorization values
| |
| AAAB | S_RFC | Authorization Check for RFC Access | ACTVT | 16 |
| RFC_NAME | * | |||
| RFC_TYPE | FUGR | |||
| BC_A | S_ADMI_FCD | System Authorizations | S_ADMI_FCD | PADM |
| S_BTCH_JOB | Background Processing: Operations on Background Jobs | JOBACTION | RELE | |
| JOBGROUP | ' ' | |||
| S_BTCH_ADM | Background Processing: Background Administrator | BTCADMIN | Y | |
| RS | S_RS_DS | Data Warehousing Workbench - DataSource | ACTVT | 03, 23, 49 |
| RSDS | * | |||
| RSDSPART | DATA, DEFINITION, INFOPACKAG | |||
| RSLOGSYS | * | |||
| S_RS_ADMWB | Data Warehousing Workbench - Objects | ACTVT | 03, 23 | |
| RSADMWBOBJ | INFOOBJECT, INFOPACKAG, SOURCESYS | |||
Version 4.3.3.1 updates to authorization requirements
The following additional authorization in required
Role Z-DS-RUNTIME-BWEXTRACT
| Authorizations for BW EXTRACT (RUNTIME) | ||||
| Authorization Class | Authorization object | Authorization Object Description | Authorization values | |
| AAAB | S_RFC | Authorization Check for RFC Access | ACTVT | 16 |
| RFC_NAME | SGWY, SUGU | |||
| RFC_TYPE | FUGR | |||
[{"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Pack for SAP BW","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"4.3.3.0;4.3.3.1","Edition":"Edition Independent","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21992251