Show TOC

SAP Authorization Objects and SAP Roles for SQL EditorLocate this document in the navigation structure

This section describes the SAP authorization objects and SAP roles that are needed to use the SQL Editor.

To be able to use the SQL editor to efficiently analyze a database, the following authorization objects must be configured:

  • S_DBCON

  • S_RZL_ADM

  • S_TABU_SQL

Settings for S_DBCON and SQL Editor

From SAP_BASIS 7.40 SP14 and SAP_BASIS 7.50 SP01, S_DBCON is configured differently. The table below compares these changes.

Table 1: Changes in the Settings for S_DBCON for SQL Editor

ACTVT

Before SAP_BASIS 7.40 SP14 AND SAP Note 1933254 is Not Implemented

After SAP_BASIS 7.40 SP14 OR SAP Note 1933254 is Implemented

03 (Display)

The SQL editor is disabled.

The SQL editor is enabled.

However, you need to grant authorization for each individual table to be accessed. To specify tables and views to be accessed, use the authorization object S_TABU_SQL.

23 (Change database parameters and database settings)

The SQL editor is enabled for SELECT statements.

The SQL editor is enabled for SELECT statements.

However, you need to grant authorization for each individual table to be accessed. To specify tables and views to be accessed, use the authorization object S_TABU_SQL.

36 (Extended maintenance)

Caution This authorization is extremely powerful and should not be granted on a routine basis.

The SQL editor is enabled for all types of SQL statements.

The SQL editor is enabled for all types of SQL statements.

However, you need to grant authorization for each individual table to be accessed. To specify tables and views to be accessed, use the authorization object S_TABU_SQL.
Note

You can implement the new functionality in releases prior to SAP_BASIS 7.40 SP14.

More information: SAP Note 1933254 - DBA Cockpit: Authorization check for SQL editor at table level in Related Information

SAP Note 1933254 also allows you to install the new functionality into older SAP_BASIS Releases and support packages.

Settings for SAP Roles and SQL Editor

From SAP_BASIS 7.40 SP14 and SAP_BASIS 7.50 SP01, the SAP roles for the SQL Editor are configured differently. The table below compares these changes.

Table 2: SAP Roles for the SQL Editor

SAP Role

Before SAP_BASIS 7.40 SP14

From SAP_BASIS 7.40 SP14

SAP_BC_S_DBCON_USER

The SQL editor is disabled.

The SQL editor is enabled for SELECT statements only and S_TABU_SQL allows access to ALL tables.

Tip To restrict access to specific tables and views, create a copy of SAP_BC_S_DBCON_USER and change the authorizations of S_TABU_SQL accordingly.

SAP_BC_S_DBCON_ADMIN

The SQL editor is enabled, but only for SELECT statements.

The SQL editor is enabled for SELECT statements only and S_TABU_SQL allows access to ALL tables.

Tip To restrict access to specific tables and views, create a copy of SAP_BC_S_DBCON_USER and change the authorizations of S_TABU_SQL accordingly.
Tip To use the SQL editor for all SQL statements, you need to manually create a role that contains the authorization object S_DBCON with ACTVT=36 (Extended Maintenance). This authorization is not included in the roles SAP_BC_S_DBCON_USER and SAP_BC_S_DBCON_ADMIN.
Related Information