Operational data provisioning uses the SAP NetWeaver AS for ABAP authorization concept. The security recommendations and guidelines described in the SAP NetWeaver AS Security Guide ABAP therefore also apply for operational data provisioning.
The following section lists the authorizations that you need for the various tasks in operational data provsioning:
Search and Analytics: Customizing and Configuration
For the system configuration of search and operational analytics in the development system and the production system, the following authorizations are required:
Composite role SAP_ESH_LOCAL_ADMIN
Transaction authorization ( S_TCODE) for Customizing transaction RODPS_ODP_IMG (Specify Client for Modeling)
Search and analytics: Modeling in the development system
The following modeling-related tasks need to be performed in the development system:
Activation and transport of Business Content for operational analytics scenarios
Creating and editing search and analysis models (including authorization checks)
Creating and editing DataSources (DataSources for access control listes for example when modeling authorization checks)
Creating and editing connectors (including the software component selection)
Scheduling and monitoring indexing
To perform these tasks, the following authorizations are required:
Composite role SAP_ESH_LOCAL_ADMIN
Transaction authorization ( S_TCODE) for transactions RSRTS_ODP_DIS (TransientProvider Preview), ODQMON (Delta Queue Monitor), RSO2 (DataSource Maintenance), RSOR (Transport Connection/BI Content), BSANL_ACWB (BI Content Activation Workbench)
Authorization object S_APPL_LOG for the delta queue monitor
Field |
Value |
ALG_OBJECT |
ODQ |
ALG_SUBOBJ |
* |
ACTVT |
03, 06 |
Authorization object S_APPL_FCD for the delta queue monitor
Field |
Value |
S_ADMI_FCD |
NADM |
Authorization object S_RO_OSOA
Field |
Value |
OLTPSOURCE |
* |
OSOAAPCO |
* |
OSOAPART |
DEFINITION, DATA |
ACTVT |
03 |
For DataSource maintenance:
Field |
Value |
OLTPSOURCE |
<Dependent on the area of responsibility of the modeler> |
OSOAAPCO |
<Dependent on the area of responsibility of the modeler> |
OSOAPART |
DEFINITION |
ACTVT |
23 |
Modeling MultiProviders in the development system
Role template S_RS_RDEMO is the template for the authorizations requried when modeling and transporting MultiProviders.
Defining and running analytic queries in the development system
Role template S_RS_RREDE is the template for the authorizations requried when designing and running queries.
Search and Analytics: Operations in the Productive System
To create and edit connectors (including the software component selectoin) and to schedule and monitor indexing in the productive system, the following authorizations are required:
Composite role SAP_ESH_LOCAL_ADMIN
Transaction authorization ( S_TCODE) for transaction ODQMON (Delta Queue Monitor)
Authorization object S_APPL_LOG for the delta queue monitor
Field |
Value |
ALG_OBJECT |
ODQ |
ALG_SUBOBJ |
* |
ACTVT |
03, 06 |
Authorization object S_APPL_FCD for the delta queue monitor
Field |
Value |
S_ADMI_FCD |
NADM |
Authorization object S_RO_OSOA
Field |
Value |
OLTPSOURCE |
* |
OSOAAPCO |
* |
OSOAPART |
DEFINITION, DATA |
ACTVT |
03 |
Running analytic queries in the productive system
Role template S_RS_RREPU is the template for the authorizations requried when running queries.
The SAP NetWeaver authorization concept is based on the role-based assignment of authorizations. For role maintenance on AS ABAP, use the profile generator (transaction PFCG).
For more information about creating roles, see Role Administration.