Standard Permissions
This section provides an overview of the standard permissions that are used by SAP Landscape Management.
Verify whether the specific SAP Landscape Management actions and permissions listed in the tables below are set appropriately in the User Management Engine (UME) depending on your requirements.
| Requirements | Permission | Action Name |
|---|---|---|
| To view the state, configuration, activity status, logs of instances, hosts, and virtual hosts. | Service,Resource,VirtualResource(Observe) | Observation |
| To execute secure custom processes for which no authorization is set. | SafeCustomProcess(Execute) | Observation |
| To handle operations with errors (add notes, clear notes) on instances, hosts, and virtual hosts. | Service,Resource,VirtualHost(AddNotes,ClearNotes) | Operations |
|
To perform start and stop operations on instances. To perform system provisioning operations such as clone, copy, refresh, or rename. |
Service(Start,Stop) | Operations |
|
To perform prepare, unprepare, and set preferred host operations on AC enabled instances. To perform system provisioning operations such as clone, copy, refresh, or rename. |
Service(Prepare,UnPrepare,SetPreferredResource) | Operations |
| To perform operations (suspend, resume, retry, cancel, and remove) for controlling activities. | Activity(Operate) | Operations |
| To use rolling kernel switch (RKS). | System(RKS) | Operations |
| To install the license for using ABAP post-copy automation (PCA). | System(PCA) | Operations |
|
To handle operations with errors such as clear alerts, forced prepare, forced unprepare, forced start, forced stop. To execute the following SAP HANA replication operations: Change Log Retention, Change Mode of System Replication, Clean Up System Replication, Disable Table Preload, Disable Fullsync System Replication, Disable Log Retention Propagation, Disable System Replication, Enable Table Preload, Enable Log Retention Propagation, Enable System Replication, Enable / Disable Fullsync System Replication, Forced System Replication Takeover, Register Secondary Tier for System Replication, Stop Check of Replication Status Share, Unregister Secondary from System Replication, Unregister System Replication Site on Primary |
Service(ForcedPrepare,ForcedUnPrepare,ForcedStart,ForcedStop) | ForcedOperations |
| To perform operations on more than one system at a time. | MultipleSystem(Operate) | MultipleSystemOperations |
| To ignore intersystem dependencies while performing instance operations. | Service(IgnoreISD) | IgnoreISDInOperation |
| To handle operations with errors (clear alerts, clear notes) on instances, hosts, and virtual hosts. | Service,Resource,VirtualHost(ClearAlerts) | ExceptionHandling |
| To handle suppress validation warnings on instances, hosts, and virtual hosts. | Service,Resource,VirtualResource(SuppressValidationWarnings) | ExceptionHandling |
| To execute operations on instances and hosts using the integrated task planner. | Service,Resource(ScheduleTask) | TaskScheduling |
| To archive log data, retrieve log data from an archive, and delete log data. | Log(Archive) | Archiving |
|
To add, edit, remove, or import the configuration of instances. To perform system provisioning operations such as clone, copy, refresh, or rename. To destroy systems. |
Service(Configure) | LandscapeConfiguration |
|
To add, edit, remove, or import the configuration of hosts. To destroy systems. |
Resource(Configure) | LandscapeConfiguration |
|
To add, edit, remove, or import the configuration of pools, networks, characteristics, and virtual hosts. To perform system provisioning operations such as clone, copy, refresh, or rename. To create, edit, and delete custom relations. |
VirtualResource,Pool,Network,Characteristic(Configure) | LandscapeConfiguration |
| To edit or import SAP Landscape Management configuration settings. | VCM(Configure) | LVMConfiguration |
| To configure permissions in the pools managed within SAP Landscape Management. This permission also bypasses all authorization validations. | LVM Authorization(Bypass,Configure) | LVMAuthorizationConfiguration |
| To provide a new application server or Diagnostics Agent on a system and provide virtual systems. | ApplicationServer,VirtualResource(Provision) | LandscapeProvisioning |
|
To create a clone of a system. To perform system provisioning operations, further permissions are required. |
System(Clone) | SystemClone |
|
To create a copy of a system. To perform system provisioning operations, further permissions are required. |
System(Copy) | SystemCopy |
|
To refresh a copied system. To perform system provisioning operations, further permissions are required. |
System(Refresh) | SystemRefresh |
|
To destroy a cloned or copied system. To destroy a cloned or copied system, further permissions are required. |
System(Destroy) | SystemDestroy |
| To rename a cloned or copied system, or to execute post-copy automation (PCA) standalone. | System(Rename) | SystemRename |
| To create, restore, or delete storage snapshots of a system. | System(StorageSnapshotManagement) | SystemStorageSnapshotManagement |
| To perform operations (activate, deactivate, suspend, migrate) on virtual entities. | VirtualResource(Activate,DeactivateSoft,DeactivateHard,Suspend,Migrate,Reboot,Resize) | VirtualResourceOperations |
| To handle operations with errors (forced activate, deactivate, suspend, migrate) on virtual entities. | VirtualResource(ForceActivate,ForceDeactivateSoft,ForceDeactivateHard,ForceSuspend,ForceMigrate) | ForcedVirtualResourceOperationss |
| To destroy virtual resources. | VirtualResource(Destroy) | LandscapeProvisioning |
| To manage templates (save, export, import, and remove) for system provisioning. | TemplateConfiguration(Store,Update,Delete,Download,StoreKey) | TemplateConfiguration |
| To execute templates for system provisioning. | TemplateExecution(Execute) | TemplateExecution |
| To create SAP HANA system replication. | System(Replication) | SystemReplication |
| To destroy SAP HANA system replication. | System(ReplicationDestroy) | SystemReplicationDestroy |
| To schedule provisioning templates for execution. | ProvisioningTemplate(Schedule) | ProvisioningTemplateScheduling |
| To manage operation templates. | OperationTemplate(Manage) | OperationTemplateManagement |
| To execute operation templates. | OperationTemplate(Execute) | OperationTemplateExecution |
| To schedule operation templates. | OperationTemplate(Schedule) | OperationTemplateScheduling |
| To manage custom processes. | CustomProcess(Manage) | CustomProcessManagement |
| To execute normal custom processes. For example, to execute the process Generate and Add System/UUID. | CustomProcess(Execute) | CustomProcessExecution |
| To execute forced custom processes. | ForcedCustomProcess(Execute) | ForcedCustomProcessExecution |
| To execute critical custom processes. | CriticalCustomProcess(Execute) | CriticalCustomProcessExecution |
| To execute SAP HANA processes. | HanaProcess(Execute) | HANAProcessExecution |
| To add, edit, or remove provisioning blueprints, and execute provisioning blueprints not yet released. | Blueprint(Manage) | BlueprintManagement |
| To execute SAP Landscape Management activities using a REST API. Works only if the user/group also has the role SAP_LVM_API_ACCESS assigned. | APIManagement(Manage) | APIBasedManagement |
| To perform remote function call operations such as get logged on users, list system messages, get active batch jobs, and get system information. | Service,Resource(SafeCustomOperation) | Observation |
|
To perform remote function call operations such as create system message and manage logon groups. To configure HA/DR provider hooks or update HA/DR provider scripts. |
Service,Resource(CriticalCustomOperation) | CriticalOperations |
| To export log entries, log details, activities, reports, configuration data, custom operations, custom hooks, custom notifications, custom provisioning processes, custom processses, operation templates, provisioning templates, provisioning blueprints, schedules, links, menu items, custom properties, custom relations, and support information to a data file. | DataExport | DataExport |
The table below shows the permissions that are required to perform custom operations.
|
Requirements |
Instance State |
Permission |
Action Name |
|---|---|---|---|
|
To perform secure custom operations for which no authorization is set. |
None |
Service,Resource(SafeCustomOperation) |
Observation |
|
To perform custom operations on instances and hosts with permissions set to “Normal”. To start the check of a replication status share or to test HA/DR provider hooks. |
Normal |
Service,Resource(NormalCustomOperation) |
Operations |
|
To perform custom operations on instances and hosts with permissions set to “Forced”. |
Forced |
Service,Resource(ForcedCustomOperation) |
ForcedOperations |
|
To perform custom operations on instances and hosts with permissions set to “Critical”. |
Critical |
Service,Resource(CriticalCustomOperation) |
CriticalOperations |