
Embedded Search uses the authorization concept provided by SAP NetWeaver. Therefore, the recommendations and guidelines for authorizations described in the SAP NetWeaver Security Guide for Application Server ABAP also apply to Embedded Search.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. Roles can be maintained in the ABAP system using the profile generator (transaction PFCG).
In the system, you can use transaction SU01 to find information about users, roles, authorizations, and authorization objects. You can use the Info System function (in the menu bar ) to display stored information.
ABAP Roles
Embedded Search provides a range of predefined roles for the ABAP system.
Dialog User |
Role |
Description |
|---|---|---|
Administrator |
The SAP_ESH_LOCAL_ADMIN composite role contains the roles:
|
This composite role and the roles contained in it provide the various authorizations required for configuration changes and administration tasks within Embedded Search. It does not include any specific application-related privileges such as for business partners or material masters. The SAP_ESH_TRANSPORT role requires the S_TRANSPRT authorization object to transport templates. |
Administrator with read-authorization but not write-authorization |
SAP_ESH_SUPPORT |
This role is used for support purposes and provides read-access to the configuration of Embedded Search. Users of this role cannot make any changes to the configuration. |
Service User |
Role |
Description |
|---|---|---|
Batch Indexing |
SAP_ESH_DATA_PULL |
The service user is used in the Delegated Search . |
Authorization Objects
SAP NetWeaver Enterprise Search uses the following specific authorization objects for authorization tasks:
Authorization Object |
Description/Comment |
|---|---|
S_ESH_ADM |
This authorization object is used to determine whether or not the user has administration authorization for search object connectors. It is used to create, change, display, and delete search object connectors. It is included in the composite role SAP_ESH_LOCAL_ADMIN. |
S_ESH_PUSH |
This authorization object is required to transfer application data between a back-end system and SAP NetWeaver Enterprise Search, if you have activated the "Indexing in Real Time" option for at least one search connector. It is assigned to a technical user that is used for RFC communication between the back-end system and the hub. |
The SAP NetWeaver Enterprise Search roles also contain other authorization objects from SAP NetWeaver that are required to carry out the complete administration processes.
Required Roles for Further Search Scenarios
The following roles in the back-end system are required for delegated searches (search request is sent from an Embedded Search system that is connected to a hub to the hub for a response):
Users in the Delegated Search Scenario |
Role |
|---|---|
Standard user |
- |
Administrator |
The SAP_ESH_ADMIN composite role containing the roles:
|
Service user |
For batch indexing: SAP_ESH_DATA_PULL |
For more information about the roles used on the hub (the system on which SAP NetWeaver Enterprise Search is running), see the separate security guide for SAP NetWeaver Enterprise Search.
The following roles in the back-end system are required for searches in an SES-compatible back-end system:
Users in an SES-Compatible Back-End System |
Role |
|---|---|
Standard user |
SAP_BC_SES_RFC_ENDUSER The S_RFC authorization object is required for the remote search and for the remote logon to launch the search results from the results list. |
Administrator |
SAP_BC_SES_ADMIN |
Service user |
For metadata extraction: SAP_BC_SES_RFC_ENDUSER |