Authorizations

Search and Operational Analytics uses the authorization concept provided by SAP NetWeaver. Therefore, the recommendations and guidelines for authorizations described in the SAP NetWeaver Security Guide for Application Server ABAP also apply to Search and Operational Analytics.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. Roles can be maintained in the ABAP system using the profile generator (transaction PFCG).

Note Note

In the system, you can use transaction SU01 to find information about users, roles, authorizations, and authorization objects. You can use the Info System function (in the menu bar Start of the navigation path Info Next navigation step Info System End of the navigation path ) to display stored information.

End of the note.

ABAP Roles

Search and Operational Analytics provides a range of predefined roles for the ABAP system.

For information about the roles and authorizations relevant for operational data provisioning, see Authorizations for Operational Data Provisioning.

Overview of the Dialog Users in Search and Operational Analytics
Dialog User	Role	Description
Administrator	The SAP_ESH_LOCAL_ADMIN composite role contains the roles: SAP_ESH_CR_ADMIN SAP_ESH_TRANSPORT SAP_BC_SES_ADMIN SAP_ESH_CUST_QUERY_LOG SAP_ESH_REORG_QUERY_LOG	This composite role and the roles contained in it provide the various authorizations required for configuration changes and administration tasks within Search and Operational Analytics. It does not include any specific application-related privileges such as for business partners or material masters. The SAP_ESH_TRANSPORT role requires the S_TRANSPRT authorization object to transport search and analysis models.
Administrator with read-authorization but not write-authorization	SAP_ESH_SUPPORT	This role is used for support purposes and provides read-access to the configuration of Search and Operational Analytics. Users of this role cannot make any changes to the configuration.
User with access to query log	SAP_ESH_CONTENT_MANAGER SAP_ESH_DISPLAY_QUERY_LOG	This role is authorized to access the query log, which contains information subject to data protection measures. For more information about the query log, see Security of Logs and Traces.

Overview of the Service Users in Search and Operational Analytics
Service User	Role	Description
Batch Indexing	SAP_ESH_DATA_PULL	The service user is used in the Delegated Search.

Authorization Objects

SAP NetWeaver Enterprise Search uses the following specific authorization objects for authorization tasks:

Authorization Object	Description/Comment
S_ESH_ADM	This authorization object is used to determine whether or not the user has administration authorization for connectors. It is used to create, change, display, and delete connectors. It is included in the composite role SAP_ESH_LOCAL_ADMIN.
S_ESH_PUSH	This authorization object is required to transfer application data between a back-end system and SAP NetWeaver Enterprise Search, if you have activated the "Indexing in Real Time" option for at least one connector. It is assigned to a technical user that is used for RFC communication between the back-end system and the hub.

Authorization Object

Description/Comment

S_ESH_ADM

This authorization object is used to determine whether or not the user has administration authorization for connectors.

It is used to create, change, display, and delete connectors.

It is included in the composite role SAP_ESH_LOCAL_ADMIN.

S_ESH_PUSH

This authorization object is required to transfer application data between a back-end system and SAP NetWeaver Enterprise Search, if you have activated the "Indexing in Real Time" option for at least one connector.

It is assigned to a technical user that is used for RFC communication between the back-end system and the hub.

The SAP NetWeaver Enterprise Search roles also contain other authorization objects from SAP NetWeaver that are required to carry out the complete administration processes.

Required Roles for Further Search Scenarios

The following roles in the back-end system are required for delegated searches (search request is sent from an Embedded Search system that is connected to a hub to the hub for a response):

Users in the Delegated Search Scenario	Role
Standard user	-
Administrator	The SAP_ESH_ADMIN composite role containing the roles: SAP_ESH_CR_ADMIN SAP_ESH_TRANSPORT SAP_BC_SES_ADMIN SAP_BC_SEFS_ADMIN SAP_ESH_BI_CONTENT_GEN SAP_ESH_BOS_ADMIN
Service user	For batch indexing: SAP_ESH_DATA_PULL

Note Note

For more information about the roles used on the hub (the system on which SAP NetWeaver Enterprise Search is running), see the separate security guide for SAP NetWeaver Enterprise Search.

End of the note.

The following roles in the back-end system are required for searches in an SES-compatible back-end system:

Users in an SES-Compatible Back-End System	Role
Standard user	SAP_BC_SES_RFC_ENDUSER The S_RFC authorization object is required for the remote search and for the remote logon to launch the search results from the results list.
Administrator	SAP_BC_SES_ADMIN
Service user	For metadata extraction: SAP_BC_SES_RFC_ENDUSER

Users in an SES-Compatible Back-End System

Role

Standard user

SAP_BC_SES_RFC_ENDUSER

The S_RFC authorization object is required for the remote search and for the remote logon to launch the search results from the results list.

Administrator

SAP_BC_SES_ADMIN

Service user

For metadata extraction: SAP_BC_SES_RFC_ENDUSER