IBM Support

SAP security and deployment best practices for InfoSphere Information Server Pack for SAP BW 4.4

Detailed System Requirements


Abstract

The Pack requires specific authorizations for the SAP user. We're also detailing the security best practices in various environments.

Content

Contents

Introduction
The SAP Pack authorization role templates
Mapping the SAP authorizations to development, test, and production environments
Stage-specific authorization details
BW Open Hub Extract Stage
BW Load Stage
BW 7.x Load Stage
 

Introduction

In projects where InfoSphere Information Server is used for data exchange with SAP, one or more technical SAP user accounts (user type Communications Data in classic SAP terminology) is needed for the DataStage® jobs to connect to the SAP system. Therefore, the ETL development team needs to work with the SAP basis administrator to obtain user IDs for the SAP system with the appropriate permissions. 
All user accounts and authorizations in SAP are maintained separately for each SAP client. An SAP client is an isolated partition of the system identified by a three-digit number. All DataStage SAP connections operate on a given client, so all authorization rules need to be applied to the correct SAP client as well.
User accounts in SAP are managed using the transaction su01. Figure 1 shows an example user properties view. In addition to assigning basic properties like the user name and password, you can also use this transaction to assign the authorizations.

Figure 1. Authorization roles assigned to an SAP user

image


 

The authorization role templates

The Pack requires different authorizations depending on the stages you intend to use. These need to be configured appropriately by an SAP basis administrator. Appropriate authorization role templates are provided with the SAP Pack. The role templates are made available as transport request files that can be directly imported into an SAP system.
The authorization roles provided with the Pack are composed of standard SAP authorizations where possible, but also contain authorizations specifically configured for the use with the Pack. The authorization roles provided with the Pack are as follows:

/IBMIIS/DS-ADM-ALL
/IBMIIS/DS-DESIGN-ALL
/IBMIIS/DS-DESIGN-BWEXTRACT
/IBMIIS/DS-DESIGN-BWLOAD
/IBMIIS/DS-DESIGN-BWLOAD7X
/IBMIIS/DS-RUNTIME-ALL
/IBMIIS/DS-RUNTIME-BWEXTRACT
/IBMIIS/DS-RUNTIME-BWLOAD
/IBMIIS/DS-RUNTIME-BWLOAD7X

Notes:

  • /IBMIIS/DS-ADM-ALL is the composite role that includes all sub-roles for the design-time and the runtime authorizations.
  • /IBMIIS/DS-DESIGN-ALL is the composite design-time role that contains all sub-roles needed to create SAP BW Pack jobs. It can be used in a development environment where tasks like job design are performed.
  • /IBMIIS/DS-RUNTIME-ALL is the composite runtime role that contains only the sub-roles needed to run SAP BW Pack jobs. It is more restrictive and can be used in a production environment where only activities needed during the actual job run should be allowed.
  • For instructions on how to install the SAP transport request files containing the authorization roles, refer to this document.


Back to top


Mapping the SAP authorizations to development, test, and production environments

On the development SAP system, DataStage jobs are designed and unit-tested. To perform these tasks, the technical SAP user needs design-time as well as runtime privileges for the stages to be used in the jobs to be developed.

The testing environment should simulate the production environment. On this system, the technical SAP user should be assigned only the runtime authorizations needed for the stages used in jobs that are to run in the production environment.

In the production environment, the most restrictive security policies are usually in place. As a result, only the absolutely necessary privileges should be granted to the technical SAP user, which means only the runtime authorizations needed for the stages used in the jobs running in production.
Detailed information on the different authorizations needed for each stage type at design and runtime can be found in the stage-specific sections below.


Stage-specific authorization details

The following sections contain information on the specific authorizations needed for each stage, depending on the respective phase in the life cycle of the DataStage job. Use it as a reference for the predefined roles provided with the SAP Pack or as a guide for customizing authorization roles according to your needs.
Use SAP transaction PFCG to create or modify an authorization role or to adjust the imported authorization roles.


BW Open Hub Extract Stage

Role /IBMIIS/DS-DESIGN-BWEXTRACT
The BW Open Hub Extract stage authorizations for designing jobs are shown in Table 1.

Table 1. BW Open Hub Extract stage authorizations for designing jobs

Authorizations for BW EXTRACT (DESIGN TIME)
Authorization Class Authorization object Authorization Object Description Authorization values
AAAB S_RFC_ADM Administration for RFC Destination ACTVT 01
ICF_VALUE *
RFCDEST *
RFCTYPE T
S_RFC Authorization Check for RFC Access ACTVT 16
RFC_NAME *
RFC_TYPE FUGR
BC_A S_ADMI_FCD
System Authorizations
S_ADMI_FCD PADM
S_TABU_DIS
Table Maintenance (via standard tools such as SM30) ACTVT 03
DICBERCLS &NC&
S_TABU_NAM
Table Access via Generic Standard tools ACTVT 03
TABLE
RFCDES, RSBOHDEST
BC_Z S_IDOCDEFT WFEDI: S_IDOCDEFT - Access to IDoc Development ACTVT 01, 03
EDI_CIM *
EDI_DOC *
EDI_TCD WE30
RS S_RS_ADMWB Data Warehousing Workbench - Objects ACTVT 03, 23
RSADMWBOBJ INFOOBJECT, INFOPACKAG, SOURCESYS, WORKBENCH
S_RS_DTP Data Warehousing Workbench - Data Transfer Process ACTVT *
RSONDTPSRC *
RSONDTPTGT *
RSSTDTPSRC *
RSSTDTPTGT *
RSTLDTPSRC *
RSTLDTPTGT DEST
S_RS_OHDST Data Warehousing Workbench - Open Hub Destination ACTVT 23
RSOHDEST *
RSOHDTPART DEFINITION
RSOHLOGSYS *
S_RS_PC Data Warehousing Workbench - Process Chains ACTVT 03
RSPCAPPLNM *
RSPCCHAIN *
RSPCPART *
S_RS_TR Data Warehousing Workbench - Transformation ACTVT *
RSOBJNMSRC *
RSOBJNMTGT *
RSSTTRSRC *
RSSTTRTGT *
RSTLOGOSRC IOBJ, ISFS, RSDS, TRCS
RSTLOGOTGT DEST


Notes:

  • S_RFC_ADM: This authorization is only needed to create RFC destinations. And RFC Destination is created when we create source system.
  • S_IDOCDEFT: This authorization is required to activate the source system.
  • S_RS_ADMWB: This authorization object is used to provide the access of Data Warehousing Workbench Objects like INFOOBJECT, INFOPACKAGE, SOURCESYSTEM
  • S_RS_OHDST: With this authorization object, SAP user can access Open Hub Destination or Info spoke.


Role /IBMIIS/DS-RUNTIME-BWEXTRACT

The BW Open Hub Extract Stage authorizations for running jobs are shown in Table 2. Each process chain may have specific authorization requirements as per the BW processes used in process chain. Additional authorization to be provided as per customer's security policy.

Table 2. BW Open Hub Extract Stage authorizations for running jobs

Authorizations for BW EXTRACT (RUNTIME)
Authorization Class Authorization object Authorization Object Description Authorization values
AAAB S_RFC Authorization Check for RFC Access ACTVT 16
RFC_NAME *
RFC_TYPE FUGR, FUNC
S_TCODE(only for BW 3.5) Transaction Code Check at Transaction Start Transaction Code RSBO_EXTRACT
BC_A S_ADMI_FCD System Authorizations S_ADMI_FCD PADM
S_BTCH_ADM Background Processing: Background Administrator BTCADMI *
S_BTCH_JOB Background Processing: Operations on Background Jobs JOBACTION *
JOBGROUP *
S_TABU_DIS Table Maintenance (via standard tools such as SM30) ACTVT 03
DICBERCLS BWC,SS
S_TABU_NAM Table Access via Generic Standard tools ACTVT 03
TABLE RFCDES, RSBOHDEST
RS S_RS_DTP Data Warehousing Workbench - Data Transfer Process ACTVT *
RSONDTPSRC *
RSONDTPTGT *
RSSTDTPSRC *
RSSTDTPTGT *
RSTLDTPSRC *
RSTLDTPTGT *
S_RS_PC Data Warehousing Workbench - Process Chains ACTVT 03, 16, 23
RSPCAPPLNM *
RSPCCHAIN *
RSPCPART *
S_RS_TR Data Warehousing Workbench – Transformation ACTVT *
RSOBJNMSRC *
RSOBJNMTGT *
RSSTTRSRC *
RSSTTRTGT *
RSTLOGOSRC IOBJ, ISFS, RSDS, TRCS
RSTLOGOTGT DEST
S_RS_IOMAD(only for BW 3.5) Administrator Workbench - Maintain Master Data Activity *
Application Component *
InfoArea *
InfoObject *


Notes:

  • S_RFC: This authorization object is required to provide the access of calling some SAP Remote enabled function modules like ‘RSB_API_OHS_DEST_READ_DATA’.
  • S_TCODE: This object is used to provide the authorization of T-code. This is required only for SAP BW 3.5 systems.
  • S_ADMI_FCD: This authorization object is used to monitor the background job. It is used by API ‘RSPC_API_CHAIN_START’ to monitor the process chain.
  • S_BTCH_ADM: This authorization object is used to manage the background jobs.
  • S_BTCH_JOB: This authorization object is used to manage the background jobs.
  • S_TABU_DIS: This authorization object is required for reading table contents (using RFC_READ_TABLE)
  • S_TABU_NAM: This authorization object is required to read contents of specific tables specified in authorization field ‘TABLE’.
  • S_RS_DTP: This authorization object is required to work with the data transfer process(DTP).
  • S_RS_PC: This authorization object is required to work with the process chain.
  • S_RS_TR: This authorization object is required to work with the transformations.
  • S_RS_IOMAD: This authorization object is required for working with process chain and other objects. It is required only for SAP BW 3.5 systems as we don’t have S_RS_DTP, S_RS_PC, S_RS_TR in it.


Back to top

BW Load Stage

Role /IBMIIS/DS-DESIGN-BWLOAD

The BW Load stage authorizations for designing jobs are shown in Table 3.

Table 3. BW Load stage authorizations for designing jobs

Authorizations for BW LOAD STAGE (DESIGN TIME)
Authorization Class Authorization object Authorization Object Description Authorization values
AAAB S_RFC_ADM Administration for RFC Destination ACTVT 01
ICF_VALUE *
RFCDEST *
RFCTYPE *
S_RFC Authorization Check for RFC Access ACTVT 16
RFC_NAME *
RFC_TYPE FUGR
BC_A S_ADMI_FCD System Authorizations S_ADMI_FCD PADM
BC_Z S_IDOCDEFT WFEDI: S_IDOCDEFT - Access to IDoc Development ACTVT 01,03
EDI_CIM *
EDI_DOC *
EDI_TCD WE30
RS S_RS_ADMWB Data Warehousing Workbench - Objects ACTVT 03,23
RSADMWBOBJ INFOOBJECT, INFOPACKAG, SOURCESYS, WORKBENCH
S_RS_ISOUR Data Warehousing Workbench - InfoSource (3.x, flex. update) ACTVT 03, 23, 49
RSAPPLNM *
RSISOURCE *
RSISRCOBJ DEFINITION, INFOPACKAG, METADATA, TRNSFRRULE
S_RS_ISRCM Data Warehousing Workbench - InfoSource (3.x, direct update) ACTVT 03, 23, 49
RSAPPLNM *
RSISRCOBJ DEFINITION, INFOPACKAG, METADATA, TRNSFRRULE
RSOSOURCE *


Notes:

  • S_RS_ISOUR: This authorization object is required to work with the Info-source.
  • S_RS_ISRCM: This authorization object is required to work with the Info-source.
  • S_IDOCDEFT: This authorization is required to activate the source system.

Role /IBMIIS/DS-RUNTIME-BWLOAD

The BW Load stage authorizations for running jobs are shown in Table 4.

Table 4. BW Load stage authorizations for running jobs

Authorizations for BW LOAD STAGE (RUNTIME)
Authorization Class Authorization object Authorization Object Description Authorization values
AAAB S_RFC Authorization Check for RFC Access ACTVT 16
RFCNAME *
RFCTYPE FUGR
BC_A S_TABU_DIS Table Maintenance (via standard tools such as SM30) ACTVT 03
DICBERCLS SS
S_BTCH_JOB Background Processing: Operations on Background Jobs JOBACTION RELE
JOBGROUP ' '
S_ADMI_FCD System Authorizations S_ADMI_FCD PADM
RS S_RS_ISOUR Data Warehousing Workbench - InfoSource (3.x, flex. update) ACTVT 03, 23, 49
RSAPPLNM *
RSISOURCE *
RSISRCOBJ *
S_RS_ISRCM Data Warehousing Workbench - InfoSource (3.x, direct update) ACTVT 03, 23, 49
RSAPPLNM *
RSISRCOBJ *
RSOSOURCE *
S_RS_ADMWB Data Warehousing Workbench - Objects ACTVT 03, 23
RSADMWBOBJ INFOOBJECT, INFOPACKAG, SOURCESYS

Note:

  • S_TABU_DIS: This authorization object is required for reading table contents (using RFC_READ_TABLE)

Back to top


BW 7.x Load Stage

Role /IBMIIS/DS-DESIGN-BWLOAD7X

This role is intended for the design of BW 7.x Load jobs. The authorizations are shown in Table 5.

Table 5. BW load 7x stage authorizations for designing jobs

Authorizations for BW 7.X LOAD STAGE (DESIGN TIME)
Authorization Class Authorization object Authorization Object Description Authorization values
AAAB S_RFC_ADM Administration for RFC Destination ACTVT 01
ICF_VALUE *
RFCDEST *
RFCTYPE *
S_RFC Authorization Check for RFC Address ACTVT 16
RFC_NAME *
RFC_TYPE FUGR
BC_A S_ADMI_FCD System Authorizations S_ADMI_FCD PADM
BC_Z S_IDOCDEFT WFEDI: S_IDOCDEFT - Access to IDoc Development ACTVT 01, 03
RS S_RS_ADMWB Data Warehousing Workbench - Objects EDI_CIM *
EDI_DOC *
EDI_TCD WE30
ACTVT 03, 23
RSADMWBOBJ INFOOBJECT, INFOPACKAG, SOURCESYS, WORKBENCH
S_RS_DS Data Warehousing Workbench - DataSource ACTVT 03, 23
RSDS *
RSDSPART DEFINITION, INFOPACKAG
RSLOGSYS *


Notes:

  • S_RS_DS: This authorization object is required to work with the Data-source.
  • S_IDOCDEFT: This authorization is required to activate the source system.


Role /IBMIIS/DS-RUNTIME-BWLOAD7X

This role is intended for running BW 7.x Load jobs.

Table 6. BW 7.x Load stage authorizations for running jobs

Authorizations for BW 7.X LOAD STAGE (RUNTIME)
Authorization Class Authorization object Authorization Object Description Authorization values
AAAB S_RFC Authorization Check for RFC Access ACTVT 16
RFC_NAME *
RFC_TYPE FUGR
BC_A S_ADMI_FCD System Authorizations S_ADMI_FCD PADM
S_BTCH_JOB Background Processing: Operations on Background Jobs JOBACTION RELE
JOBGROUP ' '
S_BTCH_ADM Background Processing: Background Administrator BTCADMIN Y
RS S_RS_DS Data Warehousing Workbench - DataSource ACTVT 03, 23, 49
RSDS *
RSDSPART DATA, DEFINITION, INFOPACKAG
RSLOGSYS *
S_RS_ADMWB Data Warehousing Workbench - Objects ACTVT 03, 23
RSADMWBOBJ INFOOBJECT, INFOPACKAG, SOURCESYS


Back to top

Internal Use Only

RTC Task 277076 

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSELLH","label":"InfoSphere Information Server Pack for SAP BW"},"ARM Category":[{"code":"a8m0z000000Go0HAAS","label":"DataStage->Enterprise Packs->SAP BW"}],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"4.4.0"}]

Document Information

Modified date:
20 September 2021

UID

ibm16486877