Standard Roles and Groups

This section provides an overview of the standard roles and groups that are used by SAP Landscape Management.

Verify whether the specific SAP Landscape Management actions, permissions, roles, and groups listed in the table below are set appropriately in the User Management Engine (UME) depending on your requirements.

Note

The SAP Landscape Management authorizations override the UME authorizations for a given pool and are not affected by changes in the UME authorization settings.
If the SAP Landscape Management permissions are configured in a pool, the groups only have the authorizations granted explicitly.
The SAP_LVM_SUPERADMIN role has all permissions assigned.
Due to the availability of system relevant and security relevant information, grant access to SAP Landscape Management to privileged persons only.

Group	Role	Actions	Description
LVM_ADMIN	SAP_LVM_ADMIN	Observation Operations ForcedOperations VirtualResourceOperations ForcedVirtualResourceOperations MultipleSystemOperations CriticalOperations ExceptionHandling TaskScheduling Archiving LandscapeConfiguration LandscapeProvisioning SystemClone SystemCopy SystemRefresh SystemDestroy SystemRename SystemStorageSnapshotManagement TemplateConfiguration TemplateExecution SystemReplication SystemReplicationDestroy OperationTemplateExecution OperationTemplateScheduling OperationTemplateManagement CustomProcessManagement CustomProcessExecution HANAProcessExecution ForcedCustomProcessExecution CriticalCustomProcessExecution BlueprintManagement ProvisioningTemplateScheduling DataExport	Can perform forced operations, manage logs and operations on multiple systems simultaneously, in addition to the actions allowed by the SAP_LVM_OPERATOR and SAP_LVM_CONFIGURATOR roles.
LVM_READONLY	SAP_LVM_READONLY	Observation	Can view the details of instances, hosts, virtual platform elements, pools, networks, and characteristics. Can execute secure custom processes for which no authorization is set.
LVM_SUPERADMIN	SAP_LVM_SUPERADMIN	Observation Operations IgnoreISDInOperation ForcedOperations VirtualResourceOperations ForcedVirtualResourceOperations MultipleSystemOperations CriticalOperations ExceptionHandling TaskScheduling Archiving LandscapeConfiguration LandscapeProvisioning SystemClone SystemCopy SystemRefresh SystemDestroy SystemRename SystemStorageSnapshotManagement LVMConfiguration LVMAuthorizationConfiguration TemplateConfiguration TemplateExecution SystemReplication SystemReplicationDestroy OperationTemplateExecution OperationTemplateScheduling OperationTemplateManagement CustomProcessManagement CustomProcessExecution HANAProcessExecution ForcedCustomProcessExecution CriticalCustomProcessExecution BlueprintManagement ProvisioningTemplateScheduling APIBasedManagement DataExport	Can configure finely grained object permissions, in addition to the actions allowed by the SAP_LVM_ADMIN role.
LVM_OPERATOR	SAP_LVM_OPERATOR	Observation Operations ForcedOperations VirtualResourceOperations ForcedVirtualResourceOperations ExceptionHandling TaskScheduling OperationTemplateExecution CustomProcessExecution HANAProcessExecution ForcedCustomProcessExecution CriticalCustomProcessExecution	Can schedule or perform operations on instances and virtual systems, in addition to the actions allowed by the SAP_LVM_READONLY role. Operators can schedule or perform operations on instances within one system at a time.
LVM_AUTOMATION_EXPERT	SAP_LVM_AUTOMATION_EXPERT	Observation Operations ForcedOperations VirtualResourceOperations ForcedVirtualResourceOperations MultipleSystemOperations ExceptionHandling TaskScheduling OperationTemplateExecution OperationTemplateScheduling OperationTemplateManagement CustomProcessManagement CustomProcessExecution HANAProcessExecution ForcedCustomProcessExecution CriticalCustomProcessExecution BlueprintManagement ProvisioningTemplateScheduling TemplateConfiguration TemplateExecution DataExport	Can execute, schedule, and manage operation templates, provisioning templates, and custom processes, in addition to the actions allowed by the SAP_LVM_OPERATOR role.
LVM_CONFIGURATOR	SAP_LVM_CONFIGURATOR	Observation LandscapeConfiguration TemplateConfiguration DataExport	Can add, edit, or import the configuration of instances, hosts, pools, networks, and characteristics, in addition to the actions allowed by the SAP_LVM_READONLY role.
LVM_EXTENDED CONFIGURATOR	SAP_LVM_EXTENDED CONFIGURATOR	Observation LVMConfiguration LandscapeConfiguration TemplateConfiguration DataExport	Can configure infrastructure settings and SAP Landscape Management settings.
	SAP_LVM_API_ACCESS	APIBasedManagement	Can perform calls to the SAP Landscape Management Rest API. In addition, users need the permissions for the actual domain-specific activities.
	ADMINISTRATOR	Observation Operations ForcedOperations VirtualResourceOperations ForcedVirtualResourceOperations MultipleSystemOperations CriticalOperations ExceptionHandling TaskScheduling Archiving LandscapeConfiguration LandscapeProvisioning SystemClone SystemCopy SystemRefresh SystemDestroy SystemRename SystemStorageSnapshotManagement LVMConfiguration LVMAuthorizationConfiguration TemplateConfiguration TemplateExecution SystemReplication SystemReplicationDestroy OperationTemplateExecution OperationTemplateScheduling OperationTemplateManagement CustomProcessManagement CustomProcessExecution HANAProcessExecution ForcedCustomProcessExecution CriticalCustomProcessExecution BlueprintManagement ProvisioningTemplateScheduling DataExport