IBM Support

SAP security and deployment best practices for InfoSphere Information Server Pack for SAP Applications 8.2 and 8.1

Question & Answer


Question

What are the authorization requirements and security best practices for the SAP Pack?

Answer

Contents


Introduction

In projects where InfoSphere Information Server is used for data exchange with SAP, one or more technical SAP user accounts (user type Communications Data in classic SAP terminology) is needed for the DataStage® jobs to connect to the SAP system. Therefore, the ETL development team needs to work with the SAP basis administrator to obtain user IDs for the SAP system with the appropriate permissions.
All user accounts and authorizations in SAP are maintained separately for each SAP client. An SAP client is an isolated partition of the system identified by a three-digit number. All DataStage SAP connections operate on a given client, so all authorization rules need to be applied to the correct SAP client as well.
User accounts in SAP are managed using the transaction su01. Figure 1 shows an example user properties view. In addition to assigning basic properties like the user name and password, you can also use this transaction to assign the authorizations.

Figure 1. Authorization roles assigned to an SAP user



Authorization role templates

InfoSphere Pack for SAP requires different authorizations depending on the stages you intend to use. These need to be configured appropriately by an SAP Basis administrator. Appropriate authorization role templates are provided with the SAP Pack. The role templates are made available as transport request files that can be directly imported into an SAP system.


The authorization roles provided for the SAP Pack are composed of standard SAP authorizations where possible, but also contain authorizations specifically configured for the use with the SAP Pack. Both version 8.1 and 8.2 include the same authorization requirements, but the role names are different (to include the version number).  The authorization roles provided with the SAP Pack are as follows:

Version 8.2

Composite roles:

  • /IBMIIS/DS-ADM-ALL-V8-2
  • /IBMIIS/DS-DESIGN-V8-2
  • /IBMIIS/DS-RUNTIME-V8-2

Single roles:

  • /IBMIIS/DS-DESIGN-ABAP-V8-2
  • /IBMIIS/DS-DESIGN-BAPI-V8-2
  • /IBMIIS/DS-DESIGN-DE-EXT-V8-2
  • /IBMIIS/DS-DESIGN-IDOC-V8-2
  • /IBMIIS/DS-DESIGN-RM-V8-2
  • /IBMIIS/DS-RUNTIM-DE-EXT-V8-2
  • /IBMIIS/DS-RUNTIM-IDC-SVR-V8-2
  • /IBMIIS/DS-RUNTIME-ABAP-V8-2
  • /IBMIIS/DS-RUNTIME-BAPI-V8-2
  • /IBMIIS/DS-RUNTIME-IDOC-V8-2

Version 8.1

Composite roles:

  • /IBMIIS/DS-ADM-ALL-V8-1
  • /IBMIIS/DS-DESIGN-V8-1
  • /IBMIIS/DS-RUNTIME-V8-1

Single roles:

  • /IBMIIS/DS-DESIGN-ABAP-V8-1
  • /IBMIIS/DS-DESIGN-BAPI-V8-1
  • /IBMIIS/DS-DESIGN-DE-EXT-V8-1
  • /IBMIIS/DS-DESIGN-IDOC-V8-1
  • /IBMIIS/DS-DESIGN-RM-V8-1
  • /IBMIIS/DS-RUNTIM-DE-EXT-V8-1
  • /IBMIIS/DS-RUNTIM-IDC-SVR-V8-1
  • /IBMIIS/DS-RUNTIME-ABAP-V8-1
  • /IBMIIS/DS-RUNTIME-BAPI-V8-1
  • /IBMIIS/DS-RUNTIME-IDOC-V8-1

Note: We'll use below 8-x as placeholder for both Pack versions. Read that as 8-1 if using Pack version 8.1 and 8-2 if using Pack version 8.2 (eg. role DS-DESIGN-ABAP-V8-1 in version 8.1 becomes DS-DESIGN-ABAP-V8-2 in version 8.2)


Notes:

  • /IBMIIS/DS-ADM-ALL-V8-x is the composite role that includes all sub-roles for the design-time and the runtime authorizations.
  • /IBMIIS/DS-DESIGN-V8-x is the composite design-time role that contains all sub-roles needed to create and run SAP Pack jobs. It can be used in a development environment where tasks like job design and unit testing are performed.
  • /IBMIIS/DS-RUNTIME-V8-x is the composite runtime role that contains only the sub-roles needed to run SAP Pack jobs. It is more restrictive and can be used in a production environment where only activities needed during the actual job run should be allowed.

 

Installing the SAP transport files

For instructions on how to install the SAP transport request files containing the authorization roles, refer to technote 0888523 (Pack version 8.2) and technote 2016311 (Pack version 8.1).



Mapping the SAP authorizations to development, test, and production environments

On the development SAP system, DataStage jobs are designed and unit-tested. To perform these tasks, the technical SAP user needs design-time as well as runtime privileges for the stages to be used in the jobs to be developed.


The testing environment should simulate the production environment. On this system, the technical SAP user should be assigned only the runtime authorizations needed for the stages used in jobs that are to run in the production environment.
In the production environment, the most restrictive security policies are usually in place. As a result, only the absolutely necessary privileges should be granted to the technical SAP user, which means only the runtime authorizations needed for the stages used in the jobs running in production.
Detailed information on the different authorizations needed for each stage type at design and runtime can be found in the stage-specific sections below.



Stage-specific authorization details

The following sections contain information on the specific authorizations needed for each stage, depending on the respective phase in the life cycle of the DataStage job. Use it as a reference for the predefined roles provided with the SAP Pack or as a guide for customizing authorization roles according to your needs.
Use SAP transaction PFCG to create or modify an authorization role or to adjust the imported authorization roles.
The Release column in the tables below denotes which SAP releases support the specific authorization object.


ABAP Extract stage

The design time SAP user (to be used in DS Designer for creating/updating jobs) needs to have an ABAP developer key assigned in the target SAP system. This is a security requirement and allows the SAP Basis Admin to control the upload of ABAP programs. This behavior was established in Pack version 8.1 GA following APAR JR59286 .
To use the Change and Transport System (CTS) functionality at ABAP program upload, the user needs this authorization profile: S_TMW_CREATE

 

Role /IBMIIS/DS-DESIGN-ABAP-V8-x
The ABAP stage authorizations for designing jobs are shown in Table 1. This role also contains the authorizations for running jobs.

Table 1. ABAP stage authorizations for designing jobs

Authorization Object Authorization Class Description Authorization Definition Release
S_RFC AAAB Authorization Check for RFC Access ACTVT: 16 ERP, S4HANA, CRM
RFC_NAME: /IBMIIS/*, SUGU, QOWK, RFC1, SALF, SAPLCRFC,SDIF,SDIFRUNTIME, SDTB, SDTX, SIMG, SXBP, SXMI, SYST, TREX_ADMIN_TOOL,ZETL, ZETL_V8_0
RFC_TYPE: FUGR
S_RFC_ADM AAAB Administration for RFC Destination ACTVT: 01, 03, 06,36 ERP, S4HANA, CRM
ICF_VALUE: *
RFCDEST: *
RFCTYPE: *
S_DEVELOP BC_C ABAP Workbench ACTVT: 01, 02, 03, 06, 16, 36 ERP, S4HANA, CRM
DEVCLASS: *
OBJTYPE: PROG
OBJNAME: *
P_GROUP: *
S_TABU_DIS BC_A Table Maintenance ACTVT: 03 ERP, S4HANA, CRM
DISBERCLS: *
S_ADMI_FCD BC_A System Authorizations NADM ERP, S4HANA, CRM
S_BTCH_JOB BC_A Background Processing: Operations On Background Jobs JOBACTION: RELE ERP, S4HANA, CRM
JOBGROUP: *
S_DATASET BC_A Authorization for file access ACTVT: 34 ERP, S4HANA, CRM
FILENAME: *
PROGRAM: Y*, Z*
S_XMI_PROD BC_A Authorization for External Management Interface EXTCOMPANY: IBM Corp. ERP, S4HANA, CRM
EXTPRODUCT: DATASTAGE
INTERFACE: XBP


Notes:

  • S_DEVELOP: You can adjust the OBJNAME value according to your naming convention for ABAP programs generated by the ABAP stage (for example, specify Z_DS* instead of *)
  • S_RFC_ADM (ECC6 only): You can restrict the RFCDEST value according to your naming conventions for the RFC destinations used for communication with the ABAP stage.
  • SAP CTS (Change and Transport System) support: Assign the SAP-defined authorization profile S_TMW_CREATE to the user that designs the ABAP jobs. This profile grants the required authorizations to upload the ABAP program by means of a transport request to your SAP System. The user must have a developer key to create transport requests.


Role /IBMIIS/DS-RUNTIME-ABAP-V8-x
The ABAP stage authorizations for running jobs are shown in Table 2.

Table 2. ABAP stage authorizations for running jobs

Authorization Object Authorization Class Description Authorization Definition Release
S_BGRFC AAAB Authorization Object for NW bgRFC ACTVT: 02,06,95 ERP, S4HANA, CRM
BGRFC_D_IN : *
BGRFC_D_OU : *
BGRFC_TYPE: 03, 14, 02
S_RFC AAAB Authorization Check for ACTVT: 16 ERP, S4HANA, CRM
RFC Access RFC_NAME: QOWK,
RFC1,RFC_PING, SALF, /IBMIIS/*, SUGU, SDIF, SGWY, SRFC,SUGU,
SDIFRUNTIME, SXBP, SXMI, SYST, ZETL,ZETL_V8_0
RFC_TYPE: FUGR
S_RFC_ADM AAAB Administration for RFC Destination ACTVT: 01, 03, 06 ERP, S4HANA, CRM
ICF_VALUE: *
RFCDEST: *
RFCTYPE: *
S_TABU_DIS BC_A Table Maintenance ACTVT: 03 ERP, S4HANA, CRM
DISBERCLS: *
S_ADMI_FCD BC_A System Authorizations NADM, PADM ERP, S4HANA, CRM
S_BTCH_JOB BC_A Background Processing: JOBACTION: RELE ERP, S4HANA, CRM
Operations On Background JOBGROUP: *
Jobs
S_DATASET BC_A Authorization for file access ACTVT: 34 ERP, S4HANA, CRM
FILENAME: *
PROGRAM: Y*, Z*
S_XMI_PROD BC_A Authorization for External Management Interface EXTCOMPANY: IBM Corp. ERP, S4HANA, CRM
EXTPRODUCT: DATASTAGE
INTERFACE: XBP
S_USER_GRP BC_A User Master Maintenance: User Groups ACTVT: * ERP, S4HANA, CRM
CLASS: *
S_USER_PRO BC_A User Master Maintenance: Authorization Profile ACTVT:* ERP, S4HANA, CRM
CLASS: *
S_BTCH_ADM BC_A Background Processing: Background Administrator BTCADMIN: Y ERP, S4HANA, CRM
S_DEVELOP BC_C ABAP Workbench ACTVT: 03, 16 ERP, S4HANA, CRM
DEVCLASS: *
OBJTYPE: PROG
OBJNAME: *
P_GROUP: *
V_VBRK_VKO SD Billing: Authorization for Sales Organizations ACTVT:03 ERP, S4HANA, CRM
SALES ORGANIZATION: 1000


Notes:

  • S_DEVELOP: You can adjust the OBJNAME value according to your naming convention for ABAP programs generated by the ABAP stage (for example, specify Z_DS* instead of *)
  • S_RFC_ADM (ECC6 only): This authorization is only needed if you enable the automatic creation and deletion of RFC destinations. You can restrict the RFCDEST value according to your naming conventions for the RFC destinations used for communication with the ABAP stage.

BAPI stage

In addition to the roles below, assign specific BAPI or RFM authorization requirements depending on the individual functions used in DS jobs using BAPI stage.
Role /IBMIIS/DS-DESIGN-BAPI-V8-x

The BAPI stage authorizations for designing jobs are shown in Table 3. This role also contains the authorizations for running jobs.

Table 3. BAPI stage authorizations for designing jobs

Authorization Object Authorization Class Description Authorization Definition Release
S_RFC AAAB Authorization Check for RFC Access ACTVT: 16 ERP, S4HANA, CRM
RFC_NAME: BAPT, RFC1, SDIFRUNTIME, SEM5, SWOR, SYST, SUGU
RFC_TYPE: FUGR



Role /IBMIIS/DS-RUNTIME-BAPI-V8-x
The BAPI stage authorizations for running jobs are shown in Table 4.

Table 4. BAPI stage authorizations for running jobs

Authorization Object Authorization Class Description Authorization Definition Release
S_RFC AAAB Authorization Check for RFC Access ACTVT: 16 ERP, S4HANA, CRM
RFC_NAME: SRFC, BAPT, SYST, SUGU, RFC_PING, RFC1, SDIFRUNTIME
RFC_TYPE: FUGR
 
Note: Each BAPI or RFM may have specific authorization requirements. For more information, see the module documentation.



IDoc Connector stages

Assign the following standard authorization profiles to the user in addition to the customized ones below: S_IDOC_ALL and B_ALE_ALL.


Role /IBMIIS/DS-DESIGN-IDOC-V8-x
This role is intended for the design of IDoc Extract and Load jobs. It should also to be used for configuring IDoc types in DataStage Administrator for SAP. This role also contains the authorizations for running jobs. The authorizations are shown in Table 5.

Table 5. IDoc stage authorizations for designing jobs

Authorization Object Authorization Class Description Authorization Definition Release
S_RFC AAAB Authorization Check for RFC Access ACTVT: 16 ERP, S4HANA, CRM
RFC_NAME: EDIMEXT, RFC1, SDIFRUNTIME, SDTX, SYST,SUGU
RFC_TYPE: FUGR
S_TABU_DIS BC_A Table Maintenance ACTVT: 03
DISBERCLS: *




Role /IBMIIS/DS-RUNTIME-IDOC-V8-x
This role is intended for running IDoc Extract and Load jobs. For extracting IDocs from SAP, you also need the role /IBMIIS/DS-RUNTIM-IDC-SVR-V8-x (see below).

Table 6. IDoc stage authorizations for running jobs

Authorization Object Authorization Class Description Authorization Definition Release
S_RFC AAAB Authorization Check for RFC Access ACTVT: 16 ERP, S4HANA, CRM
RFC_NAME: SRFC, EDIMEXT, EDIN, RFC1, SDIFRUNTIME, SYST, RFC_PING, SUGU
RFC_TYPE: FUGR



Delta Extract stage

Role /IBMIIS/DS-DESIGN-DE-EXT-V8-x

The Delta Extract stage authorizations for designing jobs are shown in Table 7.

Table 7. Delta Extract stage authorizations for designing jobs

Authorization Object Authorization Class Description Authorization Definition Release
S_RFC AAAB Authorization Check for RFC Access ACTVT: 16 ERP, S4HANA, CRM
RFC_NAME: SYST, SUGU, SDTX1, /IBMIIS/*, RFC1, RODPS_REPL, SDIFRUNTIME, SDTX
RFC_TYPE: FUGR
S_TABU_DIS BC_A Basis: Administration ACTVT: 03 CRM
Table Authorization Group: *
S_RO_OSOA RO Authorizations: BW Service API ACTVT: 03 S4HANA
DATASOURCE: *
DATASOURCE APPLICATION COMPONENT: *
SUBOBJECT FOR DATASOURCE: DATA, DEFINITION



Role /IBMIIS/DS-RUNTIM-DE-EXT-V8-x
This role is intended for running Delta Extract jobs. You also need the role /IBMIIS/DS-RUNTIM-IDC-SVR-V8-x8-x for the IDoc Listener (see below).

Table 8. Delta Extract stage authorizations for running jobs

Authorization Object Authorization Class Description Authorization Definition Release
B_ALE_LSYS AAAB ALE/EDI: Maintaining Logical Systems LOGSYS = * ERP, S4HANA, CRM
B_ALE_RECV AAAB ALE/EDI: Receiving IDocs via RFC EDI_MES = RSRQST ERP, S4HANA, CRM
S_RFC AAAB Authorization Check for RFC Access ACTVT = 16 ERP, S4HANA, CRM
RFC_NAME = /*, /IBMIIS/*, ARFC, EDIMEXT, EDIN, ERFC, RFC1, RFC_PING, RFC_METADATA, RODPS_REPL, SUGU, SDIFRUNTIME, SDTX, SYST, Z_DS_DELTA_EXTRACT_V8_0
RFC_TYPE = FUGR
S_TCODE AAAB Transaction Code Check at Transaction Start TCD = SU53, RSA7, SALE, SM30, SM59, WE20, WE21 ERP, S4HANA, CRM
S_RFC_ADM AAAB Administration for RFC Destination ACTVT = 01,03 ERP, S4HANA, CRM
ICF_VALUE = DUMMY
RFCDEST = *
RFCTYPE = 3,T
S_BTCH_ADM BC_A Background Processing: Background Administrator BTCADMIN = Y ERP, S4HANA, CRM
S_BTCH_JOB BC_A Background Processing: Operations on Background Jobs JOBACTION = RELE ERP, S4HANA, CRM
JOBGROUP =''
S_CTS_ADMI BC_A Administration Functions in Change and Transport System CTS_ADMFCT = TABL ERP, S4HANA, CRM
S_DATASET BC_A Authorization for file access ACTVT = 34 ERP, S4HANA, CRM
FILENAME = *
PROGRAM = SAPLSTRF
S_GUI BC_A Authorization for GUI activities ACTVT = 61 ERP, S4HANA, CRM
S_SPO_DEV BC_A Spool: Device authorizations SPODEVICE = LP01 ERP, S4HANA, CRM
S_TABU_CLI BC_A Cross-Client Table Maintenance CLIIDMAINT = X ERP, S4HANA, CRM
S_TABU_DIS BC_A Table Maintenance (via standard tools such as SM30) ACTVT = * ERP, S4HANA, CRM
DICBERCLS = *
S_DEVELOP BC_C ABAP Workbench ACTVT = 16 ERP, S4HANA, CRM
DEVCLASS = Z*
OBJNAME = Z*
OBJTYPE = DEVC, FUGR, MSAG, PROG
P_GROUP = DUMMY
S_TRANSPRT BC_C Transport Organizer ACTVT = 01,03 ERP, S4HANA, CRM
TTYPE = DTRA, TASK
S_IDOCDEFT BC_Z WFEDI: S_IDOCDEFT - Access to IDoc Development ACTVT = 01,03 ERP, S4HANA, CRM
EDI_CIM = DUMMY
EDI_DOC = RSINFO, RSREQUST, RSSEND, Z*
EDI_TCD = WE30
S_IDOCMONI BC_Z WFEDI: S_IDOCMONI - Access to IDoc Monitoring ACTVT = 03 ERP, S4HANA, CRM
EDI_DIR = 1, 2
EDI_MES = RSRQST
EDI_PRN = *
EDI_PRT = *
EDI_TCD = ''
S_IDOCPART BC_Z WFEDI: S_IDOCPART - Access to Partner Profile (IDoc) ACTVT = 01,02,03 ERP, S4HANA, CRM
EDI_PRN = *
EDI_PRT = LS
EDI_TCD = WE20
S_IDOCPORT BC_Z WFEDI: S_IDOCPORT - Access to Port Description (IDoc) ACTVT = 01 ERP, S4HANA, CRM
EDI_POR = 1
EDI_TCD = WE21
S_RO_OSOA RO SAP DataSource Authorizations ACTVT = 03 ERP, S4HANA, CRM
OLTPSOURCE = *
OSOAAPCO = *
OSOAPART = DATA



IDoc Listener

This component is used by both the IDoc Extract stage and Delta Extract stage. Assign the following standard authorization profile to the user in addition to the customized ones below: S_IDOC_ALL.

Role /IBMIIS/DS-RUNTIM-IDC-SVR-V8-x
This role is intended for the IDoc Listener component that facilitates the reception of IDocs from SAP. The specific authorizations are shown in Table 9.
Note: This role should be assigned to the SAP user specified in the default SAP logon details of the DataStage SAP connection since this is the logon the IDoc Listener uses. Figure 2 shows the location of the default SAP logon details in DataStage Administrator for SAP.

Figure 2. DataStage Administrator for SAP: Connection properties


Table 9. Authorizations for the IDoc Listener

Authorization Object Authorization Class Description Authorization Definition Release
S_RFC AAAB Authorization Check for RFC Access ACTVT: 16 ERP, S4HANA, CRM
RFC_NAME: RFC1, SDIFRUNTIME, SYST, SUGU, /IBMIIS/*
RFC_TYPE: FUGR


Rapid Modeler for SAP

Assign the following standard authorization profile to the user in addition to the customized ones below: S_IDOC_ALL.
For running the generated ABAP and IDoc jobs, use the ABAP and IDoc runtime authorizations listed above.

Role /IBMIIS/DS-DESIGN-RM-V8-x
The authorizations for extracting table and IDoc metadata using the Rapid Modeler plug-in for IBM InfoSphere Data Architect are shown in Table 10.

Table 10. Authorizations for Rapid Modeler for SAP

Authorization Object Authorization Class Description Authorization Definition Release
S_RFC AAAB Authorization Check for RFC access ACTVT: 16 ERP, S4HANA, CRM
RFC_NAME: EDIMEXT, RFC1, SDIFRUNTIME, SDTB, SDTX, SYST,/IBMIIS/*,SALF, SAPLCRFC, SIMG,SUGU, TREX_ADMIN_TOOL, ZETL_V8_0
RFC_TYPE: FUGR
S_TABU_DIS BC_A Table Maintenance ACTVT: 03 ERP, S4HANA, CRM
DISBERCLS: *
S_CTS_ADMI BC_A Basis: Administration CTS_ADMFCT: * ERP, S4HANA, CRM
S_DEVELOP BC_C ABAP Workbench ACTVT: 01, 02, 03, 06, 16 ERP, S4HANA, CRM
DEVCLASS: *
OBJNAME: *
OBJTYPE: PROG
P_GROUP: *


Known issues

Overlapping authorizations: Some authorization roles may cover more permissions than necessary, enabling additional actions. For example: A user with the role DS-DESIGN-ABAP-V8-1 or DS-DESIGN-BAPI-V8-1 is able to run IDoc Extract jobs, even though this capability should be limited to users with the roles DS-DESIGN-IDOC-V8-1 or DS-RUNTIME-IDOC-V8-1

Reason: Some SAP authorizations don't have the necessary granularity or overlap, resulting in excess permissions given to users. This is an internal characteristic of the SAP software and is outside the influence of IBM products.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"ARM Category":[{"code":"a8m50000000L1HjAAK","label":"DataStage->Enterprise Packs->SAP Applications"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"All Version(s)","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
18 May 2020

UID

swg22016310