SAP Landscape Management 3.0, Enterprise Edition

Standard Authorization Objects

This section provides an overview of the security-relevant authorization objects that are used by SAP Landscape Management for the default remote function call (RFC) destination.

Authorization Object

Field

Value

Description

S_RFC RFC_TYPE FUGR Execute function modules of group SYST in the target system.
RFC_NAME SYST
ACTVT 16
S_RFC RFC_TYPE FUGR Execute function modules of group THFB in the target system.
RFC_NAME THFB
ACTVT 16
S_RFC RFC_TYPE FUGR Execute function modules of group SXBP in the target system.
RFC_NAME SXBP
ACTVT 16
S_RFC RFC_TYPE FUGR

Execute function modules of group SXMI in the target system.

RFC_NAME SXMI
ACTVT 16
S_RFC RFC_TYPE FUGR

Execute function modules of group SM02 in the target system.

RFC_NAME SM02
ACTVT

16

S_RFC RFC_TYPE FUGR

Execute function modules of group SMLG in the target system.

RFC_NAME SMLG
ACTVT 16
S_RFC RFC_TYPE FUGR

Execute function modules of group SLCH in the target system.

RFC_NAME SLCH
ACTVT 16
S_XMI_PROD EXTCOMPANY SAP

Execute external management interface XBP.

EXTPRODUCT ACC
INTERFACE XBP
S_BTCH_ADM BTCADMIN Y

Do anything with jobs in all clients.

S_ADMI_FCD S_ADMI_FCD ST0R

Evaluate traces.

S_ADMI_FCD S_ADMI_FCD SM02

Create, change, and delete system messages.

The table below shows the security-relevant authorization objects that are used by SAP Landscape Management, to change RFC passwords during initial copy.

Authorization Object

Field

Value

Description

S_RFC RFC_TYPE FUGR Execute function modules of group SUSO in the target system.
RFC_NAME SUSO
ACTVT 16
S_RFC RFC_TYPE FUNC Change the password.
RFC_NAME SUSR_USER_CHANGE_PASSWORD_RFC
ACTVT 16

The table below shows the security-relevant ABAP post-copy automation roles that are used by SAP Landscape Management for the default RFC destination.

Role

Permission

Description

SAP_BC_STC_DISPLAY
  • Display task lists (transaction STC01)

  • Display task list variants (transaction STC01)

  • Display task list runs (transaction STC02)

Role to display technical configuration task lists.

This role allows users to display task lists and corresponding objects (task list runs and task list variants) used for technical configuration.

SAP_BC_STC_REMOTE

To perform particular actions, further authorizations are necessary. See other SAP_BC_STC_* roles.

Role for technical configuration remote access.

This role contains the authorizations necessary to remotely access technical configuration task lists.