SAP Security Objects

Several SAP authorizations are required for AESAP Jobs depending on your particular installation and the functions you use in your Automic Automation system. This topic lists all the authorization objects necessary for the system user to provide maximum functionality.

Tips:

  • Create your authorizations according to your own naming conventions.
  • To use minimal AE functionality, provide your RFC user with a user profile that contains the authorization object S_BTCH_JOB. It must include the standard authorization S_BTCH_ALL, or an authorization where the fields are filled as follows:
    • Activities in jobs: DELE, PLAN, PROT, RELE, SHOW
    • Summarizing jobs for a group: *

Overview of SAP Authorization Objects

The following list requires sound knowledge of SAP authorization concepts:

  • S_RFC
    Connection to AE: When the profile parameter auth/rfc_authority_check is set, SAP checks whether the RFC user has the right to call the given function group.
    Field names: ACTVT RFC_, NAME RFC_, TYPE
    Value: *

  • S_BTCH_JOB
    Batch Processing: Operations on batch jobs
    Connection to AE: The AE creates SAP jobs dynamically and needs permission to plan, monitor, and release jobs. In addition, the AE creates jobs to process BDC sessions, thereby using the standard RSBDCBTC ABAP program.
    Field names: JOBACTION, JOBGROUP
    Value: *

  • S_BTCH_ADM
    Background Processing: Background Administrator
    Connection to AE: To run existing SAP jobs, the AE must change the respective jobs. The AE and standard interfaces use the standard function module BP_JOB_MODIFY to run jobs. Batch-administrator authorization is required. You also need this type of authorization to retrieve the spool list of a job if the SAP system user is not the job creator.

    Important! S_BTCH_ADM allows the client-independent selection of existing jobs. If the R3_ACTIVATE_JOBS script statement is processed with an SAP system user who has this type of authorization, the AE possibly starts jobs in several SAP clients, depending on the specified selection criteria (such as the same job name in two SAP clients).
    Field name: BTCADMIN
    Value: Y

  • S_BTCH_NAM
    Connection to AE: To create and run jobs for any other SAP user, the system user must have the right to specify the user name.
    Field name: BTCUNAME Value: *

  • S_BTCH_NA1
    Batch Processing: User Name and Program
    Connection to AE: As of SAP 7.5.2, this authorization object is an enhancement of object S_BTCH_NAM. In addition to the user name, the report name is also checked with this test. The check of S_BTCH_NA1 is therefore only successful if user A is authorized to schedule program xyz for user B.
    Field name: BTCUNAME, PROGNAME
    Value: *

  • S_SPO_DEV
    Spooler: Device Authorization
    Connection to AE: To specify the printing parameter 'print immediately' within a job step, the system user must have the right to access the corresponding printing device.
    Field name: SPODEVICE
    Value: *

  • S_TMS_ACT
    Connection to AE: To transfer the cover page of a spool list to the AE, view the parameters of the variant used for the ABAP run. You will find this type of information as part of the cover page.
    Field names: STMSACTION, STMSOBJECT, STMSOWNER
    Value: *

  • S_TOOLS_EX
    Tools Performance Monitor
    Connection to AE: Authorization to display external statistics records in monitoring tools.
    Field name: AUTH
    Value: *

  • S_XMI_PROD
    Connection to AE: Use this object to log in to the standard interface. Before calling functions of an external interface, the external application must log in to the interface.
    Field names: EXTCOMPANY, EXTPRODUCT, INTERFACE
    Value: *

  • S_XMI_LOG
    Connection to AE: Not necessary for the AE, but if you use the standard interface, entries into the XMI log are created (Online Transaction Code RZ15). You need this permission to view them or to clear the log.
    Field name: n/a
    Value: n/a

  • S_WFAR_OBJ
    ArchiveLink Authorizations for accessing documents
    Connection to AE: The AE allows archive parameters, such as the object type, document type, etc., to be specified. Therefore, you can immediately transfer the printing list of an ABAP program. Doing so is only useful if you have an optical archive system installed for the SAP system.
    Field names: ACTVT, OAARCHIV, OADOCUMENT, OAOBJEKTE
    Value: *

  • S_WFAR_PRI
    ArchiveLink Authorizations for accessing print lists
    Connection to AE: To create printing lists within an optical archive, the SAP system user must have the relevant permission.
    Field names: ACTVT, OAARCHIV, OADOKUMENT, OAOBJEKTE, PROGRAM
    Value: *

  • S_PROGRAM
    ABAP: Program run checks
    Connection to AE: The AE requires that this authorization object schedules ABAP programs assigned to authorization groups (authorization field P_ACTION = BTCSUBMIT), and manages variants (authorization field P_ACTION = VARIANT).

    The communication user needs the SUBMIT permission for the S_PROGRAM object and BTCSUBMIT & VARIANT T (R3_GET_JOB_SPOOL). For more information, see SAP note 2269032.
    Field names:

    • P_ACTION
      Values: BTCSUBMIT, VARIANT, SUBMIT
    • P_GROUP
      Value: *

  • S_SPO_ACT
    Spool: Actions
    Connection to AE: The SPOACTION field must allow the BASE and DISP actions for the users to transfer spool lists that the SAP system user did not create.
    Field names:

    • SPOACTION
      Values: BASE, DISP
    • SPOAUTH
      Value: *

  • S_ADMI_FCD
    System Authorizations
    Connection to AE: The S_ADMI_FCD field must at least allow the SP0R action to transfer spool lists that the SAP system user did not create.
    Field name: S_ADMI_FCD
    Value: SP0R

  • S_RS_ISOUR
    Administrator Workbench - InfoSource (Flexible Update)
    Connection to AE: You only require this permission if you use the BW_ACTIVATE_INFOPACKAGE Business Warehouse script element and Flexible Update.
    Field names: ACTVT, RSAPPLNM, RSISOURCE, RSISRCOBJ
    Value: *

  • S_RS_ISOUR
    Administrator Workbench - InfoSource (Direct Update)
    Connection to: You only require this permission if you use the BW_ACTIVATE_INFOPACKAGE Business Warehouse script element and Direct Update.
    Field names: ACTVT, RSAPPLNM, RSISOURCE, RSISRCOBJ
    Value: *

  • S_DEVELOP ABAP
    Workbench
    Connection to AE: You only require this permission if you use the BW_ACTIVATE_CHAIN Business Warehouse script element.
    Field names: ACTVT, DEVCLASS, OBJNAME, OBJTYPE P_, GROUP
    Value: *

  • S_RS_ICUBE
    Administrator Workbench - InfoCube
    Connection to AE: You only require this permission if you use the BW_ACTIVATE_CHAIN Business Warehouse script element
    Field names: ACTVT, RSICUBEOBJ, RSINFOAREA, RSINFOCUBE
    Value: *

  • S_RS_ADMWB
    Administrator Workbench - Objects
    Connection to AE: Only required if you use the Business Warehouse functions.
    Field names: ACTVT, RSADMWBOBJ
    Value: *

  • S_RS_DS
    Connection to AE: Only required if you use the Business Warehouse functions.

  • S_RS_DTP
    Connection to AE: Only required if you use the Business Warehouse functions.

  • S_RS_ODSO
    Connection to AE: Only required if you use the Business Warehouse functions.

  • S_RS_PC
    Connection to AE: Only required if you use the Business Warehouse functions.

  • S_RZL_ADM
    Connection to AE: Releases intercepted jobs (RemoteTaskManager, R3_activate_intercepted_jobs)
    Field name: ACTVT
    Value: 01

  • S_TABU_DIS
    To use SAP Forms, see Forms View on the Process Page
    Field names:

    • ACTVT
      Value: 03
    • DICBERCLS
      Value: SPFL