Search and Operational Analytics uses the authorization concept provided by SAP NetWeaver. Therefore, the recommendations and guidelines for authorizations described in the SAP NetWeaver Security Guide for Application Server ABAP also apply to Search and Operational Analytics.
The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. Roles can be maintained in the ABAP system using the profile generator (transaction PFCG
).
Note
In the system, you can use transaction SU01
to find information about users, roles, authorizations, and authorization objects. You can use the Info System
function (in the menu bar ) to display stored information.
Search and Operational Analytics provides a range of predefined roles for the ABAP system.
For information about the roles and authorizations relevant for operational data provisioning, see Authorizations for Operational Data Provisioning.
Dialog User |
Role |
Description |
---|---|---|
Administrator |
The contains the roles:
|
This composite role and the roles contained in it provide the various authorizations required for configuration changes and administration tasks within Search and Operational Analytics. It does not include any specific application-related privileges such as for business partners or material masters. The |
Administrator with read-authorization but not write-authorization |
|
This role is used for support purposes and provides read-access to the configuration of Search and Operational Analytics. Users of this role cannot make any changes to the configuration. |
User with access to query log |
|
This role is authorized to access the query log, which contains information subject to data protection measures. For more information about the query log, see Security of Logs and Traces. |
Service User |
Role |
Description |
---|---|---|
Batch Indexing |
|
The service user is used in the |
SAP NetWeaver Enterprise Search uses the following specific authorization objects for authorization tasks:
Authorization Object |
Description/Comment |
---|---|
|
This authorization object is used to determine whether or not the user has administration authorization for connectors. It is used to create, change, display, and delete connectors. It is included in the composite role |
|
This authorization object is required to transfer application data between a back-end system and SAP NetWeaver Enterprise Search, if you have activated the "Indexing in Real Time" option for at least one connector. It is assigned to a technical user that is used for RFC communication between the back-end system and the hub. |
The SAP NetWeaver Enterprise Search roles also contain other authorization objects from SAP NetWeaver that are required to carry out the complete administration processes.
The following roles in the back-end system are required for delegated searches (search request is sent from an Embedded Search system that is connected to a hub to the hub for a response):
Users in the Delegated Search Scenario |
Role |
---|---|
Standard user |
- |
Administrator |
The
|
Service user |
For batch indexing: |
Note
For more information about the roles used on the hub (the system on which SAP NetWeaver Enterprise Search is running), see the separate security guide for SAP NetWeaver Enterprise Search.
The following roles in the back-end system are required for searches in an SES-compatible back-end system:
Users in an SES-Compatible Back-End System |
Role |
---|---|
Standard user |
The |
Administrator |
|
Service user |
For metadata extraction: |