Authorizations for Operational Data Provisioning

Use

Operational data provisioning uses the SAP NetWeaver AS for ABAP authorization concept. The security recommendations and guidelines described in the SAP NetWeaver AS Security Guide ABAP therefore also apply for operational data provisioning.

The following section lists the authorizations that you need for the various tasks in operational data provsioning:

Search and Analytics: Customizing and Configuration

For the system configuration of search and operational analytics in the development system and the production system, the following authorizations are required:

  • Composite role SAP_ESH_LOCAL_ADMIN

  • Transaction authorization ( S_TCODE) for Customizing transaction RODPS_ODP_IMG (Specify Client for Modeling)

Search and analytics: Modeling in the development system

The following modeling-related tasks need to be performed in the development system:

  • Activation and transport of Business Content for operational analytics scenarios

  • Creating and editing search and analysis models (including authorization checks)

  • Creating and editing DataSources (DataSources for access control listes for example when modeling authorization checks)

  • Creating and editing connectors (including the software component selection)

  • Scheduling and monitoring indexing

To perform these tasks, the following authorizations are required:

  • Composite role SAP_ESH_LOCAL_ADMIN

  • Transaction authorization ( S_TCODE) for transactions RSRTS_ODP_DIS (TransientProvider Preview), ODQMON (Delta Queue Monitor), RSO2 (DataSource Maintenance), RSOR (Transport Connection/BI Content), BSANL_ACWB (BI Content Activation Workbench)

  • Authorization object S_APPL_LOG for the delta queue monitor

    Field

    Value

    ALG_OBJECT

    ODQ

    ALG_SUBOBJ

    *

    ACTVT

    03, 06

  • Authorization object S_APPL_FCD for the delta queue monitor

    Field

    Value

    S_ADMI_FCD

    NADM

  • Authorization object S_RO_OSOA

    Field

    Value

    OLTPSOURCE

    *

    OSOAAPCO

    *

    OSOAPART

    DEFINITION, DATA

    ACTVT

    03

    For DataSource maintenance:

    Field

    Value

    OLTPSOURCE

    <Dependent on the area of responsibility of the modeler>

    OSOAAPCO

    <Dependent on the area of responsibility of the modeler>

    OSOAPART

    DEFINITION

    ACTVT

    23

Modeling MultiProviders in the development system

Role template S_RS_RDEMO is the template for the authorizations requried when modeling and transporting MultiProviders.

Defining and running analytic queries in the development system

Role template S_RS_RREDE is the template for the authorizations requried when designing and running queries.

Search and Analytics: Operations in the Productive System

To create and edit connectors (including the software component selectoin) and to schedule and monitor indexing in the productive system, the following authorizations are required:

  • Composite role SAP_ESH_LOCAL_ADMIN

  • Transaction authorization ( S_TCODE) for transaction ODQMON (Delta Queue Monitor)

  • Authorization object S_APPL_LOG for the delta queue monitor

    Field

    Value

    ALG_OBJECT

    ODQ

    ALG_SUBOBJ

    *

    ACTVT

    03, 06

  • Authorization object S_APPL_FCD for the delta queue monitor

    Field

    Value

    S_ADMI_FCD

    NADM

  • Authorization object S_RO_OSOA

    Field

    Value

    OLTPSOURCE

    *

    OSOAAPCO

    *

    OSOAPART

    DEFINITION, DATA

    ACTVT

    03

Running analytic queries in the productive system

Role template S_RS_RREPU is the template for the authorizations requried when running queries.

Activities

The SAP NetWeaver authorization concept is based on the role-based assignment of authorizations. For role maintenance on AS ABAP, use the profile generator (transaction PFCG).