Authorizations

SAP NetWeaver Enterprise Search uses the authorization concept provided by SAP NetWeaver. Therefore, the recommendations and guidelines for authorizations described in the SAP NetWeaver Security Guide for Application Server ABAP also apply to SAP NetWeaver Enterprise Search.

The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. Roles can be maintained in the ABAP system using the profile generator (transaction PFCG).

Note Note

In the system, you can use transaction SU01 to find information about users, roles, authorizations, and authorization objects. You can use the Info System function (in the menu bar Info Info System ) to display stored information.

End of the note.

ABAP Roles

SAP NetWeaver Enterprise Search provides a range of predefined roles for the ABAP system.

Overview of the Dialog Users in SAP NetWeaver Enterprise Search
Dialog User	Role	Description/Comment
Standard user	The composite role `SAP_ESH_SEARCH` contains the following roles: `SAP_BC_SEFS_RFC_ENDUSER` `SAP_BC_SES_RFC_ENDUSER` `SAP_ESH_BOS_RFC_ENDUSER` `SAP_ESH_SEARCH_CATEG` `SAP_ESH_SEARCH_USER`	On the hub system: The role provides authorization to use the search function. For example, you can use it to restrict access to systems and search object connectors or to search object connectors in a specific category during searches. It does not include any specific application-related privileges such as for business partners or material masters. The authorization objects `S_LDAP`, `S_ESH_CONN`, and `S_ESH_CAT` are required.
Standard user	`SAP_ESH_DELEGATED_SEARCH`	On the hub system: The role is required if users delegate their search requests from a system containing Embedded Search to the SAP NetWeaver Enterprise Search hub and have them performed there. The role must be assigned to these users on the hub system. The `S_RFCACL` authorization object is required.
Administrator	The `SAP_ESH_ADMIN` composite role contains the roles: `SAP_ESH_CR_ADMIN` `SAP_ESH_TRANSPORT` `SAP_BC_SES_ADMIN` `SAP_BC_SEFS_ADMIN` `SAP_BC_WEBSERVICE_ADMIN_TEC` `SAP_ESH_BI_CONTENT_GEN` `SAP_ESH_BOS_ADMIN`	On the hub system and in the Delegated Search search scenario: This composite role and the roles contained in it provide the various authorizations required for configuration changes and administration tasks within SAP NetWeaver Enterprise Search. It does not include any generic system privileges required to administer an SAP system. The `SAP_ESH_TRANSPORT` role requires the `S_TRANSPRT` authorization object to transport templates.
Administrator with read-authorization but not write-authorization	`SAP_ESH_SUPPORT`	This role is used for support purposes and provides read-access to the configuration of SAP NetWeaver Enterprise Search. Users of this role cannot make any changes to the configuration.

Overview of the Service Users in SAP NetWeaver Enterprise Search
Service User	Role	Description/Comment
Real-time indexing	`SAP_ESH_DATA_PUSH`	The authorization object is required on the hub system for the service user that is used to receive the index data to be changed from the back-end system. This protects indexes against unauthorized changes.
Metadata extraction	`SAP_BC_SES_RFC_ENDUSER`	The service user is required on the connected SES-compatible back-end system, for example SAP ERP 6.0.

Authorization Objects

SAP NetWeaver Enterprise Search uses the following specific authorization objects for authorization tasks:

Authorization Object	Description/Comment
`S_ESH_ADM`	This authorization object is used to determine whether or not the user has administration authorization for search object connectors. It is used to create, change, display, and delete search object connectors. It is included in the composite role `SAP_ESH_LOCAL_ADMIN`.
`S_ESH_CONN`	The standard end user role, `SAP_ESH_SEARCH`, or copies of this role, which provides authorization for using the SAP NetWeaver Enterprise Search search function, can be modified using the `S_ESH_CONN` authorization object so that users assigned to this role receive restricted search results. For example, you can use it to restrict access to certain systems or search object connectors during searches. More information: Restricting Authorizations for Searching
`S_ESH_PUSH`	This authorization object is required to transfer application data between a back-end system and SAP NetWeaver Enterprise Search, if you have activated the "Indexing in Real Time" option for at least one search connector. It is assigned to a technical user that is used for RFC communication between the back-end system and the hub.
`S_ESH_CAT`	The `SAP_ESH_SEARCH_CATEG` role (included in the `SAP_ESH_SEARCH` role) uses the `S_ESH_CAT` authorization object. The authorization object allows limited search results based on categories that are assigned to connectors. Create entries in the authorization object for the categories that are assigned to the connectors that users can search. Connectors that are not assigned to any categories (category `ALL Content`) can be searched by all users. Example The `` and `Marketing` entries are created in the authorization object. Users can search all connectors that are assigned to the Marketing* category and all other connectors that are not assigned to any categories (entry `*`). End of the example.
`S_LDAP`	The authorization object is used to read user data and their permissions from the LDAP server defined in customizing. It is required for the search for documents on file servers and Web servers.

The SAP NetWeaver Enterprise Search roles also contain other authorization objects from SAP NetWeaver that are required to carry out the complete administration processes.

Required Roles for Further Search Scenarios

The following roles in the back-end system are required for delegated searches (search request is sent from a back-end system that is connected to a hub to the hub for a response):

Users in the Delegated Search Scenario	Role
Standard user	-
Administrator	The `SAP_ESH_ADMIN` composite role containing the roles: `SAP_ESH_CR_ADMIN` `SAP_ESH_TRANSPORT` `SAP_BC_SES_ADMIN` `SAP_BC_SEFS_ADMIN` `SAP_ESH_BI_CONTENT_GEN` `SAP_ESH_BOS_ADMIN`
Service user	For batch indexing: `SAP_ESH_DATA_PULL`

The following roles in the back-end system are required for searches in an SES-compatible back-end system:

Users in an SES-Compatible Back-End System	Role
Standard user	`SAP_BC_SES_RFC_ENDUSER` The `S_RFC` authorization object is required for the remote search and for the remote logon to launch the search results from the results list.
Administrator	`SAP_BC_SES_ADMIN`
Service user	For metadata extraction: `SAP_BC_SES_RFC_ENDUSER`

Users in an SES-Compatible Back-End System

Role

Standard user

SAP_BC_SES_RFC_ENDUSER

The S_RFC authorization object is required for the remote search and for the remote logon to launch the search results from the results list.

Administrator

SAP_BC_SES_ADMIN

Service user

For metadata extraction: SAP_BC_SES_RFC_ENDUSER

For more information about which roles are used on a separate system containing Embedded Search, see the SAP NetWeaver documentation in the Embedded Search Security Guide.

User in a Back-End System for the BO Legacy Search

Role

Standard user

Administrator

-

Service user

The back-end system forwards information about the authorizations of its users to SAP NetWeaver Enterprise Search so that the search can be done with authorization checks.

The service user that receives this information is called XXX.