Show TOC

AuthorizationsLocate this document in the navigation structure

Search and Operational Analytics uses the authorization concept provided by SAP NetWeaver. Therefore, the recommendations and guidelines for authorizations described in the SAP NetWeaver Security Guide for Application Server ABAP also apply to Search and Operational Analytics.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. Roles can be maintained in the ABAP system using the profile generator (transaction PFCG).

Note

In the system, you can use transaction SU01 to find information about users, roles, authorizations, and authorization objects. You can use the Info System function (in the menu bar Start of the navigation path Info  Next navigation step Infosystem End of the navigation path) to display the stored information.

ABAP Roles

Search and Operational Analytics provides a range of predefined roles for the ABAP system.

For information about the roles and authorizations relevant for operational data provisioning, see Authorizations for Operational Data Provisioning.

Dialog User

Role

Description

Standard user

The composite role SAP_ESH_SEARCH contains the roles:
  • SAP_BC_SEFS_RFC_ENDUSER
  • SAP_BC_SES_RFC_ENDUSER
  • SAP_ESH_BOS_RFC_ENDUSER
  • SAP_ESH_SEARCH_CATEG
  • SAP_ESH_SEARCH_USER

The role provides authorization for using the search function. You can use the role, for example, to restrict access during searches to search object connectors or to search object connectors of a particular category.

It does not include any specific application-related privileges such as for business partners or material masters.

The authorization objects S_LDAP, S_ESH_CONN and S_ESH_CAT are required.

If you want to restrict authorizations for connectors, you need to create a copy of the role SAP_ESH_SEARCH and assign the authorizations for the standard connectors ESH_CONNECTOR and ESH_CATEGORY, so that the search UI can be used.

To perform authorization checks on connectors and categories, you must activate the parameter Model Authorization in Customizing of the ABAP system. This parameter is in Customizing (transaction SPRO under Start of the navigation path SAP NetWeaver Next navigation step Search and Operational Analytics Next navigation step Embedded Search Next navigation step Search Configuration Next navigation step Set Parameters for Federated Search End of the navigation path. In the automatic setting, the parameter Model Authorization is activated by default for the SAP HANA-based variant of Embedded Search. For the TREX/BWA-based variant, the parameter is deactivated in the automatic setting for compatibility reasons. In this case, only the application-specific authorizations for the object are checked, for example, for an individual business partner or material master. We recommend that you do not deactivate the parameter in the SAP HANA-based variant and that you manually activate it in the TREX/BWA-based variant, to prevent performance problems during the search. Make sure that you have given the users appropriate authorization profiles. The relevant authorization objects are, as already mentioned, S_ESH_CONN and S_ESH_CAT.

Administrator

The composite role SAP_ESH_LOCAL_ADMIN contains the roles:

  • SAP_ESH_CR_ADMIN

  • SAP_ESH_TRANSPORT

  • SAP_BC_SES_ADMIN

  • SAP_ESH_CUST_QUERY_LOG

  • SAP_ESH_REORG_QUERY_LOG

This composite role and the roles contained in it provide the various authorizations required for configuration changes and administration tasks within Search and Operational Analytics.

It does not include any specific application-related privileges such as for business partners or material masters.

The SAP_ESH_TRANSPORT role requires the S_TRANSPRT authorization object to transport search and analysis models.

Administrator with read-authorization but not write-authorization

SAP_ESH_SUPPORT

This role is used for support purposes and provides read-access to the configuration of Search and Operational Analytics. Users of this role cannot make any changes to the configuration.

User with access to query log

SAP_ESH_CONTENT_MANAGER

  • SAP_ESH_DISPLAY_QUERY_LOG

This role is authorized to access the query log, which contains information subject to data protection measures.

For more information about the query log, see Security of Logs and Traces.

Service User

Role

Description

Batch Indexing

SAP_ESH_DATA_PULL

The service user is used in the Delegated Search.

Authorization Objects

SAP NetWeaver Enterprise Search uses the following specific authorization objects for authorization tasks:

Authorization Object

Description/Comment

S_ESH_ADM

This authorization object is used to determine whether or not the user has administration authorization for connectors.

It is used to create, change, display, and delete connectors.

It is included in the composite role SAP_ESH_LOCAL_ADMIN.

S_ESH_CONN

You can use the authorization object S_ESH_CONN to adjust the standard end user role SAP_ESH_SEARCH or copies of this role, which provide authorization for the use of the search function of SAP NetWeaver Enterprise Search so that users who are assigned these roles receive restricted search results. For example, you can restrict access to particular systems or search object connectors during searches.

S_ESH_PUSH

This authorization object is required to transfer application data between a back-end system and SAP NetWeaver Enterprise Search, if you have activated the "Indexing in Real Time" option for at least one connector.

It is assigned to a technical user that is used for RFC communication between the back-end system and the hub.

S_ESH_CAT The role SAP_ESH_SEARCH_CATEG (contained in the role SAP_ESH_SEARCH) uses the authorization object S_ESH_CAT. The authorization object allows restricted search results on the basis of the categories to which connectors are assigned. In the authorization object, create entries for the categories to which connectors are assigned that the users are allowed to search. Connectors that are not assigned to any category (category ALL Content) can be searched by all users.

If you have assigned a model or a connector to a category, both authorization objects S_ESH_CONN and S_ESH_CAT are checked and their intersection calculated.

Example The entries * and Marketing are created in the authorization object. Users can search all connectors that are assigned to the category Marketing and all other connectors that are not assigned to any category (entry *).
S_LDAP The authorization object is used to read user data and user authorizations from the LDAP server defined in Customizing.

The SAP NetWeaver Enterprise Search roles also contain other authorization objects from SAP NetWeaver that are required to carry out the complete administration processes.

Required Roles for Further Search Scenarios

The following roles in the back-end system are required for delegated searches (search request is sent from an Embedded Search system that is connected to a hub to the hub for a response):

Users in the Delegated Search Scenario

Role

Standard user

-

Administrator

The SAP_ESH_ADMIN composite role containing the roles:

  • SAP_ESH_CR_ADMIN

  • SAP_ESH_TRANSPORT

  • SAP_BC_SES_ADMIN

  • SAP_BC_SEFS_ADMIN

  • SAP_ESH_BI_CONTENT_GEN

  • SAP_ESH_BOS_ADMIN

Service user

For batch indexing: SAP_ESH_DATA_PULL

Note

For more information about the roles used on the hub (the system on which SAP NetWeaver Enterprise Search is running), see the separate security guide for SAP NetWeaver Enterprise Search.

The following roles in the back-end system are required for searches in an SES-compatible back-end system:

Users in an SES-Compatible Back-End System

Role

Standard user

SAP_BC_SES_RFC_ENDUSER

The S_RFC authorization object is required for the remote search and for the remote logon to launch the search results from the results list.

Administrator

SAP_BC_SES_ADMIN

Service user

For metadata extraction: SAP_BC_SES_RFC_ENDUSER