SAP Security Objects
SAP authorizations that are required for AE SAP Jobs depend on your particular installation and the functions you use in the AE. This topic lists all the authorization objects that are necessary for the system user to provide maximum functionality.
Tips:
- Create your authorizations according to your own naming conventions.
-
To use minimal AE functionality, provide your
RFC user with a user profile that contains the authorization object S_BTCH_JOB.
It must contain the standard authorization S_BTCH_ALL, or an authorization
where the fields are filled in as follows:
- Activities in jobs: DELE, PLAN, PROT, RELE, SHOW
- Summarizing jobs for a group: *
Overview of SAP Authorization Objects
The following list requires sound knowledge of SAP authorization concepts:
-
S_RFC
Connection to AE: When the profile parameter auth/rfc_authority_check is set, SAP checks if the RFC user is allowed to call the given function group.
Field names: ACTVT RFC_, NAME RFC_, TYPE
Value: * -
S_BTCH_JOB
Batch Processing: Operations on batch jobs
Connection to AE: The AE creates SAP jobs dynamically and needs the authorization to plan, monitor, and release jobs. In addition, the AE creates jobs to process BDC sessions, thereby using the standard RSBDCBTC ABAP program.
Field names: JOBACTION, JOBGROUP
Value: * -
S_BTCH_ADM
Background Processing: Background Administrator
Connection to AE: To run existing SAP jobs, the AE must change the respective jobs. The AE and standard interfaces use the standard function module BP_JOB_MODIFY to run jobs. Batch-administrator authorization is required. This type of authorization is also required for retrieving the spool list of a job if the SAP system user is not the job creator.Important! S_BTCH_ADM allows the client-independent selection of existing jobs. If the AE JCL statement R3_ACTIVATE_JOBS is processed with an SAP system user who has this type of authorization, the AE possibly starts jobs in several SAP clients, depending on the specified selection criteria (such as the same job name in two SAP clients)
Field name: BTCADMIN
Value: Y -
S_BTCH_NAM
Connection to AE: To create and run jobs for any other SAP user, the system user must be authorized to specify the user name.
Field name: BTCUNAME
Value: * -
S_SPO_DEV
Spooler: Device Authorization
Connection to AE: To specify the printing parameter 'print immediately' within a job step, the system user must be authorized to access the corresponding printing device.
Field name: SPODEVICE
Value: * -
S_TMS_ACT
Connection to AE: To transfer the cover page of a spool list back to the AE, it is helpful to see the parameters of the variant that was used to run the ABAP. This information is part of the cover page.
Field names: STMSACTION, STMSOBJECT, STMSOWNER
Value: * -
S_XMI_PROD
Connection to AE: This object is used to log on to the standard interface. Before calling functions of an external interface, the external application has to log on to the interface.
Field names: EXTCOMPANY, EXTPRODUCT, INTERFACE
Value: * -
S_XMI_LOG
Connection to AE: Not necessary for the AE but if you use the standard interface, entries into the XMI log are created (Online Transaction Code RZ15). This authorization is required to view them or to clear the log.
Field name: n/a
Value: n/a -
S_WFAR_OBJ
ArchiveLink Authorizations for accessing documents
Connection to AE: The AE allows that archive parameters such as the object type, document type, etc. are specified. Therefore, you can immediately transfer the printing list of an ABAP program. Doing so is only useful if an optical archive system is installed for the SAP system.
Field names: ACTVT, OAARCHIV, OADOCUMENT, OAOBJEKTE
Value: * -
S_WFAR_PRI
ArchiveLink Authorizations for accessing print lists
Connection to AE: To create printing lists within an optical archive, the SAP system user must have the relevant authorization.
Field names: ACTVT, OAARCHIV, OADOKUMENT, OAOBJEKTE, PROGRAM
Value: * -
S_PROGRAM
ABAP: Program run checks
Connection to AE: The AE requires that this authorization object schedules ABAP programs that are assigned to authorization groups (authorization field P_ACTION = BTCSUBMIT), and manages variants (authorization field P_ACTION = VARIANT).Authorization for SUBMIT is required for the communication user for the S_PROGRAM object, in addition to BTCSUBMIT & VARIANT (R3_GET_JOB_SPOOL). For more information, see SAP note 2269032.
Field names:-
P_ACTION
Values: BTCSUBMIT, VARIANT, SUBMIT -
P_GROUP
Value: *
-
P_ACTION
-
S_SPO_ACT
Spool: Actions
Connection to AE: To transfer spool lists that were not created by the SAP system user, the SPOACTION field has to allow the BASE and DISP actions for the corresponding users.
Field names:-
SPOACTION
Values: BASE, DISP -
SPOAUTH
Value: *
-
SPOACTION
-
S_ADMI_FCD
System Authorizations
Connection to AE: To transfer spool lists that were not created by the SAP system user, the S_ADMI_FCD field has to allow at least the SP0R action .
Field name: S_ADMI_FCD
Value: SP0R -
S_RS_ISOUR
Administrator Workbench - InfoSource (Flexible Update)
Connection to AE: Only required if the Business Warehouse Function BW_ACTIVATE_INFOPACKAGE and Flexible Update is used.
Field names: ACTVT, RSAPPLNM, RSISOURCE, RSISRCOBJ
Value: * -
S_RS_ISOUR
Administrator Workbench - InfoSource (Direct Update)
Connection to: Only required if the Business Warehouse Function BW_ACTIVATE_INFOPACKAGE and Direct Update is used.
Field names: ACTVT, RSAPPLNM, RSISOURCE, RSISRCOBJ
Value: * -
S_DEVELOP ABAP
Workbench
Connection to AE: Only required if the Business Warehouse Function BW_ACTIVATE_CHAIN is used.
Field names: ACTVT, DEVCLASS, OBJNAME, OBJTYPE P_, GROUP
Value: * -
S_RS_ICUBE
Administrator Workbench - InfoCube
Connection to AE: Only required if the Business Warehouse Function BW_ACTIVATE_CHAIN is used.
Field names: ACTVT, RSICUBEOBJ, RSINFOAREA, RSINFOCUBE
Value: * -
S_RS_ADMWB
Administrator Workbench - Objects
Connection to AE: Only required if the Business Warehouse Functions are used.
Field names: ACTVT, RSADMWBOBJ
Value: * -
S_RS_DS
Connection to AE: Only required if the Business Warehouse Functions are used. -
S_RS_DTP
Connection to AE: Only required if the Business Warehouse Functions are used. -
S_RS_ODSO
Connection to AE: Only required if the Business Warehouse Functions are used. -
S_RS_PC
Connection to AE: Only required if the Business Warehouse Functions are used. -
S_RZL_ADM
Connection to AE: Releasing intercepted jobs (RemoteTaskManager, R3_activate_intercepted_jobs)
Field name: ACTVT
Value: 01 -
S_TABU_DIS
For using SAP Forms, see Forms View on the Process Page
Field names:-
ACTVT
Value: 03 -
DICBERCLS
Value: SPFL
-
ACTVT