SAP Security Objects

SAP authorizations that are required for AE SAP Jobs depend on your particular installation and the functions you use in the AE. This topic lists all the authorization objects that are necessary for the system user to provide maximum functionality.

Tips:

  • Create your authorizations according to your own naming conventions.
  • To use minimal AE functionality, provide your RFC user with a user profile that contains the authorization object S_BTCH_JOB. It must contain the standard authorization S_BTCH_ALL, or an authorization where the fields are filled in as follows:
    • Activities in jobs: DELE, PLAN, PROT, RELE, SHOW
    • Summarizing jobs for a group: *

Overview of SAP Authorization Objects

The following list requires sound knowledge of SAP authorization concepts:

  • S_RFC
    Connection to AE: When the profile parameter auth/rfc_authority_check is set, SAP checks if the RFC user is allowed to call the given function group.
    Field names: ACTVT RFC_, NAME RFC_, TYPE
    Value: *

  • S_BTCH_JOB
    Batch Processing: Operations on batch jobs
    Connection to AE: The AE creates SAP jobs dynamically and needs the authorization to plan, monitor, and release jobs. In addition, the AE creates jobs to process BDC sessions, thereby using the standard RSBDCBTC ABAP program.
    Field names: JOBACTION, JOBGROUP
    Value: *

  • S_BTCH_ADM
    Background Processing: Background Administrator
    Connection to AE: To run existing SAP jobs, the AE must change the respective jobs. The AE and standard interfaces use the standard function module BP_JOB_MODIFY to run jobs. Batch-administrator authorization is required. This type of authorization is also required for retrieving the spool list of a job if the SAP system user is not the job creator.

    Important! S_BTCH_ADM allows the client-independent selection of existing jobs. If the AE JCL statement R3_ACTIVATE_JOBS is processed with an SAP system user who has this type of authorization, the AE possibly starts jobs in several SAP clients, depending on the specified selection criteria (such as the same job name in two SAP clients)
    Field name: BTCADMIN
    Value: Y

  • S_BTCH_NAM
    Connection to AE: To create and run jobs for any other SAP user, the system user must be authorized to specify the user name.
    Field name: BTCUNAME
    Value: *

  • S_SPO_DEV
    Spooler: Device Authorization
    Connection to AE: To specify the printing parameter 'print immediately' within a job step, the system user must be authorized to access the corresponding printing device.
    Field name: SPODEVICE
    Value: *

  • S_TMS_ACT
    Connection to AE: To transfer the cover page of a spool list back to the AE, it is helpful to see the parameters of the variant that was used to run the ABAP. This information is part of the cover page.
    Field names: STMSACTION, STMSOBJECT, STMSOWNER
    Value: *

  • S_XMI_PROD
    Connection to AE: This object is used to log on to the standard interface. Before calling functions of an external interface, the external application has to log on to the interface.
    Field names: EXTCOMPANY, EXTPRODUCT, INTERFACE
    Value: *

  • S_XMI_LOG
    Connection to AE: Not necessary for the AE but if you use the standard interface, entries into the XMI log are created (Online Transaction Code RZ15). This authorization is required to view them or to clear the log.
    Field name: n/a
    Value: n/a

  • S_WFAR_OBJ
    ArchiveLink Authorizations for accessing documents
    Connection to AE: The AE allows that archive parameters such as the object type, document type, etc. are specified. Therefore, you can immediately transfer the printing list of an ABAP program. Doing so is only useful if an optical archive system is installed for the SAP system.
    Field names: ACTVT, OAARCHIV, OADOCUMENT, OAOBJEKTE
    Value: *

  • S_WFAR_PRI
    ArchiveLink Authorizations for accessing print lists
    Connection to AE: To create printing lists within an optical archive, the SAP system user must have the relevant authorization.
    Field names: ACTVT, OAARCHIV, OADOKUMENT, OAOBJEKTE, PROGRAM
    Value: *

  • S_PROGRAM
    ABAP: Program run checks
    Connection to AE: The AE requires that this authorization object schedules ABAP programs that are assigned to authorization groups (authorization field P_ACTION = BTCSUBMIT), and manages variants (authorization field P_ACTION = VARIANT).

    Authorization for SUBMIT is required for the communication user for the S_PROGRAM object, in addition to BTCSUBMIT & VARIANT (R3_GET_JOB_SPOOL). For more information, see SAP note 2269032.
    Field names:

    • P_ACTION
      Values: BTCSUBMIT, VARIANT, SUBMIT
    • P_GROUP
      Value: *

  • S_SPO_ACT
    Spool: Actions
    Connection to AE: To transfer spool lists that were not created by the SAP system user, the SPOACTION field has to allow the BASE and DISP actions for the corresponding users.
    Field names:

    • SPOACTION
      Values: BASE, DISP
    • SPOAUTH
      Value: *

  • S_ADMI_FCD
    System Authorizations
    Connection to AE: To transfer spool lists that were not created by the SAP system user, the S_ADMI_FCD field has to allow at least the SP0R action .
    Field name: S_ADMI_FCD
    Value: SP0R

  • S_RS_ISOUR
    Administrator Workbench - InfoSource (Flexible Update)
    Connection to AE: Only required if the Business Warehouse Function BW_ACTIVATE_INFOPACKAGE and Flexible Update is used.
    Field names: ACTVT, RSAPPLNM, RSISOURCE, RSISRCOBJ
    Value: *

  • S_RS_ISOUR
    Administrator Workbench - InfoSource (Direct Update)
    Connection to: Only required if the Business Warehouse Function BW_ACTIVATE_INFOPACKAGE and Direct Update is used.
    Field names: ACTVT, RSAPPLNM, RSISOURCE, RSISRCOBJ
    Value: *

  • S_DEVELOP ABAP
    Workbench
    Connection to AE: Only required if the Business Warehouse Function BW_ACTIVATE_CHAIN is used.
    Field names: ACTVT, DEVCLASS, OBJNAME, OBJTYPE P_, GROUP
    Value: *

  • S_RS_ICUBE
    Administrator Workbench - InfoCube
    Connection to AE: Only required if the Business Warehouse Function BW_ACTIVATE_CHAIN is used.
    Field names: ACTVT, RSICUBEOBJ, RSINFOAREA, RSINFOCUBE
    Value: *

  • S_RS_ADMWB
    Administrator Workbench - Objects
    Connection to AE: Only required if the Business Warehouse Functions are used.
    Field names: ACTVT, RSADMWBOBJ
    Value: *

  • S_RS_DS
    Connection to AE: Only required if the Business Warehouse Functions are used.

  • S_RS_DTP
    Connection to AE: Only required if the Business Warehouse Functions are used.

  • S_RS_ODSO
    Connection to AE: Only required if the Business Warehouse Functions are used.

  • S_RS_PC
    Connection to AE: Only required if the Business Warehouse Functions are used.

  • S_RZL_ADM
    Connection to AE: Releasing intercepted jobs (RemoteTaskManager, R3_activate_intercepted_jobs)
    Field name: ACTVT
    Value: 01

  • S_TABU_DIS
    For using SAP Forms, see Forms View on the Process Page
    Field names:

    • ACTVT
      Value: 03
    • DICBERCLS
      Value: SPFL