Show TOC

Background documentationPrivileges Locate this document in the navigation structure

 

There are two types of privileges, object privileges and system privileges. Object privileges can be granted for a specific object. System privileges can be granted for object types in the entire system, in a partition or an isolation group and allow you to limit the privilege to objects in a particular partition or with a particular isolation group.

Isolation groups isolate users and objects from other users and objects. A user must have the same isolation group to be able to see and access users or objects in an isolation group, provided the user has the required privileges. A user can have one or more isolation groups, in this case he must choose his enabled isolation group for the session at logon. See the isolation group section for more information.

Object Privileges

Object privileges always relate to a specific object and allow the grantee a specific right on the object. A View privilege on the RS_PrintStatements job definition, for example, is only valid for that job definition. If the user has no other job definition-related system privileges and no other object privileges on job definitions, the only job definition the grantee can view, or access, is RS_PrintStatements.

Object privileges cannot be granted directly, you grant ranks of privileges. For example, the Edit rank contains both View and Edit privileges, this prevents human error, as you need to see an object before you can edit it. Furthermore, privileges can be granted as Access and Admin, when you grant a privilege as Admin, the grantee can grant the privilege to other users.

System Privileges

System privileges are granted on three levels, per partition, per isolation group or system wide. If you are using multiple partitions or isolation groups, you can restrict a system privilege to one partition or isolation group.

The EventDefinition.Raise system privilege, for example, allows the grantee to raise all events he can view, combined with the EventDefinition.View he can access all events in a partition, isolation group, or across the entire system.

The default roles cannot be edited, but roles you created in external authentication systems are editable in SAP CPS provided you have the necessary security module, please check your license if you are unsure. The default permissions granted to built-in roles are listed in the Granted System Privileges section.