Show TOC

Procedure documentationRestricting Authorizations for Searching Locate this document in the navigation structure

 

The standard end user role, SAP_ESH_SEARCH, which provides authorization for using the SAP NetWeaver Enterprise Search search function, can be modified using the S_ESH_CONN authorization object so that users assigned to this role receive restricted search results.

No restrictions for users are entered in the standard system. By default, each user can submit search queries across all systems, search object connectors, and models using the SAP_ESH_SEARCH role.

Recommendation Recommendation

We recommend using this authorization object to restrict access to information and documents through the search in accordance with the security regulations in your company if this information and these documents are not already protected against unauthorized access by other security concepts, such as authorization checks.

End of the recommendation.

Procedure

Recommendation Recommendation

We recommend that you generate copies of the SAP_ESH_SEARCH role and change the authorizations of these copies.

End of the recommendation.

To use the S_ESH_CONN authorization object to restrict the authorizations of the SAP_ESH_SEARCH role or copies of this role, proceed as follows:

  1. Start transaction PFCG.

  2. Enter the SAP_ESH_SEARCH role or the name of the copy and choose Edit.

  3. Switch to the Authorizations tab page.

  4. Choose Change Authorization Data.

  5. Open the tree structure below the selected role until the following fields appear:

    Field

    Description

    Search Connector Request

    Specifies the requests for which a user assigned to this role receives search results.

    Search Connector ID

    Specifies the IDs of the search object connectors that a user is allowed to explore.

    System ID

    Specifies the system that a user assigned to this role is allowed to explore.

    Client

    Specifies the clients that are taken into account during a search.

    Model Name

    Specifies the models that a user is allowed to search in.

    Model Type

    Specifies the model types that are taken into account during a search.

    The following model types are part of SAP NetWeaver Enterprise Search and entered by default:

    • SAP BI Search(BI)

    • SAP BO Legacy Search (BOS)

    • SAP BO Search (COMRUNTIME)

    • SAP File Search (FILES)

    • SAP KM Search (KM)

    • Open Search (OS)

    • SAP BO Search Service (SES)

    • Data Provider Service (WEBSERVICE)

  6. Choose the Edit icon for the fields that you want to use to restrict the search for the role in question.

  7. In the table, enter the values that the user is allowed to use during a search with this role.

    Note Note

    The values that you specify are positive values, for example, you specify the systems for which the user is authorized to find hits in the search results. However, you do not specify the systems that the user is not authorized to access with this role.

    * stands for unrestricted selection. All objects for this field are taken into account during a search.

    If you use more than one field, the system links them using AND and analyzes them in combination.

    End of the note.

  8. To generate or refresh the authorization profile displayed, choose Generate.

    The authorization profile that you generate in this way is entered in the master record for the role users when a user comparison is performed.

  9. Return to role management and choose the Users tab page. Choose Compare Users to compare the user master records.

  10. Then you assign the changed role to the required users and delete these users from the SAP_ESH_SEARCH standard role.