Show TOC

AuthorizationsLocate this document in the navigation structure

Definition

Embedded Search uses the authorization concept provided by SAP NetWeaver. Therefore, the recommendations and guidelines for authorizations described in the SAP NetWeaver Security Guide for Application Server ABAP also apply to Embedded Search.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. Roles can be maintained in the ABAP system using the profile generator (transaction PFCG).

Note

In the system, you can use transaction SU01 to find information about users, roles, authorizations, and authorization objects. You can use the Info System function (in the menu bar Start of the navigation path Info  Next navigation step Info System End of the navigation path) to display stored information.

ABAP Roles

Embedded Search provides a range of predefined roles for the ABAP system.

Dialog User

Role

Description

Administrator

The SAP_ESH_LOCAL_ADMIN composite role

contains the roles:

  • SAP_ESH_CR_ADMIN

  • SAP_ESH_TRANSPORT

  • SAP_BC_SES_ADMIN

This composite role and the roles contained in it provide the various authorizations required for configuration changes and administration tasks within Embedded Search.

It does not include any specific application-related privileges such as for business partners or material masters.

The SAP_ESH_TRANSPORT role requires the S_TRANSPRT authorization object to transport templates.

Administrator with read-authorization but not write-authorization

SAP_ESH_SUPPORT

This role is used for support purposes and provides read-access to the configuration of Embedded Search. Users of this role cannot make any changes to the configuration.

Service User

Role

Description

Batch Indexing

SAP_ESH_DATA_PULL

The service user is used in the Delegated Search .

Authorization Objects

SAP NetWeaver Enterprise Search uses the following specific authorization objects for authorization tasks:

Authorization Object

Description/Comment

S_ESH_ADM

This authorization object is used to determine whether or not the user has administration authorization for search object connectors.

It is used to create, change, display, and delete search object connectors.

It is included in the composite role SAP_ESH_LOCAL_ADMIN.

S_ESH_PUSH

This authorization object is required to transfer application data between a back-end system and SAP NetWeaver Enterprise Search, if you have activated the "Indexing in Real Time" option for at least one search connector.

It is assigned to a technical user that is used for RFC communication between the back-end system and the hub.

The SAP NetWeaver Enterprise Search roles also contain other authorization objects from SAP NetWeaver that are required to carry out the complete administration processes.

Required Roles for Further Search Scenarios

The following roles in the back-end system are required for delegated searches (search request is sent from an Embedded Search system that is connected to a hub to the hub for a response):

Users in the Delegated Search Scenario

Role

Standard user

-

Administrator

The SAP_ESH_ADMIN composite role containing the roles:

  • SAP_ESH_CR_ADMIN

  • SAP_ESH_TRANSPORT

  • SAP_BC_SES_ADMIN

  • SAP_BC_SEFS_ADMIN

  • SAP_ESH_BI_CONTENT_GEN

  • SAP_ESH_BOS_ADMIN

Service user

For batch indexing: SAP_ESH_DATA_PULL

Note

For more information about the roles used on the hub (the system on which SAP NetWeaver Enterprise Search is running), see the separate security guide for SAP NetWeaver Enterprise Search.

The following roles in the back-end system are required for searches in an SES-compatible back-end system:

Users in an SES-Compatible Back-End System

Role

Standard user

SAP_BC_SES_RFC_ENDUSER

The S_RFC authorization object is required for the remote search and for the remote logon to launch the search results from the results list.

Administrator

SAP_BC_SES_ADMIN

Service user

For metadata extraction: SAP_BC_SES_RFC_ENDUSER