Question & Answer
Question
What are the authorization requirements and security best practices for the SAP Pack?
Answer
Contents
- Introduction
- Authorization role templates
- Mapping the SAP authorizations to development, test, and production environments
- Stage-specific authorization details
- ABAP Extract Stage
- BAPI Stage
- IDOC Connector Stages
- Delta Extract Stage
- IDoc Listener
- Rapid Modeler for SAP
- Known Issues
Introduction
In projects where InfoSphere Information Server is used for data exchange with SAP, one or more technical SAP user accounts (user type Communications Data in classic SAP terminology) is needed for the DataStage® jobs to connect to the SAP system. Therefore, the ETL development team needs to work with the SAP basis administrator to obtain user IDs for the SAP system with the appropriate permissions.
All user accounts and authorizations in SAP are maintained separately for each SAP client. An SAP client is an isolated partition of the system identified by a three-digit number. All DataStage SAP connections operate on a given client, so all authorization rules need to be applied to the correct SAP client as well.
User accounts in SAP are managed using the transaction su01. Figure 1 shows an example user properties view. In addition to assigning basic properties like the user name and password, you can also use this transaction to assign the authorizations.
Figure 1. Authorization roles assigned to an SAP user
Authorization role templates
InfoSphere Pack for SAP requires different authorizations depending on the stages you intend to use. These need to be configured appropriately by an SAP Basis administrator. Appropriate authorization role templates are provided with the SAP Pack. The role templates are made available as transport request files that can be directly imported into an SAP system.
The authorization roles provided for the SAP Pack are composed of standard SAP authorizations where possible, but also contain authorizations specifically configured for the use with the SAP Pack. Both version 8.1 and 8.2 include the same authorization requirements, but the role names are different (to include the version number). The authorization roles provided with the SAP Pack are as follows:
Version 8.2
Composite roles:
- /IBMIIS/DS-ADM-ALL-V8-2
- /IBMIIS/DS-DESIGN-V8-2
- /IBMIIS/DS-RUNTIME-V8-2
Single roles:
- /IBMIIS/DS-DESIGN-ABAP-V8-2
- /IBMIIS/DS-DESIGN-BAPI-V8-2
- /IBMIIS/DS-DESIGN-DE-EXT-V8-2
- /IBMIIS/DS-DESIGN-IDOC-V8-2
- /IBMIIS/DS-DESIGN-RM-V8-2
- /IBMIIS/DS-RUNTIM-DE-EXT-V8-2
- /IBMIIS/DS-RUNTIM-IDC-SVR-V8-2
- /IBMIIS/DS-RUNTIME-ABAP-V8-2
- /IBMIIS/DS-RUNTIME-BAPI-V8-2
- /IBMIIS/DS-RUNTIME-IDOC-V8-2
Version 8.1
Composite roles:
- /IBMIIS/DS-ADM-ALL-V8-1
- /IBMIIS/DS-DESIGN-V8-1
- /IBMIIS/DS-RUNTIME-V8-1
Single roles:
- /IBMIIS/DS-DESIGN-ABAP-V8-1
- /IBMIIS/DS-DESIGN-BAPI-V8-1
- /IBMIIS/DS-DESIGN-DE-EXT-V8-1
- /IBMIIS/DS-DESIGN-IDOC-V8-1
- /IBMIIS/DS-DESIGN-RM-V8-1
- /IBMIIS/DS-RUNTIM-DE-EXT-V8-1
- /IBMIIS/DS-RUNTIM-IDC-SVR-V8-1
- /IBMIIS/DS-RUNTIME-ABAP-V8-1
- /IBMIIS/DS-RUNTIME-BAPI-V8-1
- /IBMIIS/DS-RUNTIME-IDOC-V8-1
Note: We'll use below 8-x as placeholder for both Pack versions. Read that as 8-1 if using Pack version 8.1 and 8-2 if using Pack version 8.2 (eg. role DS-DESIGN-ABAP-V8-1 in version 8.1 becomes DS-DESIGN-ABAP-V8-2 in version 8.2) |
Notes:
- /IBMIIS/DS-ADM-ALL-V8-x is the composite role that includes all sub-roles for the design-time and the runtime authorizations.
- /IBMIIS/DS-DESIGN-V8-x is the composite design-time role that contains all sub-roles needed to create and run SAP Pack jobs. It can be used in a development environment where tasks like job design and unit testing are performed.
- /IBMIIS/DS-RUNTIME-V8-x is the composite runtime role that contains only the sub-roles needed to run SAP Pack jobs. It is more restrictive and can be used in a production environment where only activities needed during the actual job run should be allowed.
Installing the SAP transport files
For instructions on how to install the SAP transport request files containing the authorization roles, refer to technote 0888523 (Pack version 8.2) and technote 2016311 (Pack version 8.1).
Mapping the SAP authorizations to development, test, and production environments
On the development SAP system, DataStage jobs are designed and unit-tested. To perform these tasks, the technical SAP user needs design-time as well as runtime privileges for the stages to be used in the jobs to be developed.
The testing environment should simulate the production environment. On this system, the technical SAP user should be assigned only the runtime authorizations needed for the stages used in jobs that are to run in the production environment.
In the production environment, the most restrictive security policies are usually in place. As a result, only the absolutely necessary privileges should be granted to the technical SAP user, which means only the runtime authorizations needed for the stages used in the jobs running in production.
Detailed information on the different authorizations needed for each stage type at design and runtime can be found in the stage-specific sections below.
Stage-specific authorization details
The following sections contain information on the specific authorizations needed for each stage, depending on the respective phase in the life cycle of the DataStage job. Use it as a reference for the predefined roles provided with the SAP Pack or as a guide for customizing authorization roles according to your needs.
Use SAP transaction PFCG to create or modify an authorization role or to adjust the imported authorization roles.
The Release column in the tables below denotes which SAP releases support the specific authorization object.
ABAP Extract stage
The design time SAP user (to be used in DS Designer for creating/updating jobs) needs to have an ABAP developer key assigned in the target SAP system. This is a security requirement and allows the SAP Basis Admin to control the upload of ABAP programs. This behavior was established in Pack version 8.1 GA following APAR JR59286 .
To use the Change and Transport System (CTS) functionality at ABAP program upload, the user needs this authorization profile: S_TMW_CREATE
Role /IBMIIS/DS-DESIGN-ABAP-V8-x
The ABAP stage authorizations for designing jobs are shown in Table 1. This role also contains the authorizations for running jobs.
Table 1. ABAP stage authorizations for designing jobs
Authorization Object | Authorization Class | Description | Authorization Definition | Release |
S_RFC | AAAB | Authorization Check for RFC Access | ACTVT: 16 | ERP, S4HANA, CRM |
RFC_NAME: /IBMIIS/*, SUGU, QOWK, RFC1, SALF, SAPLCRFC,SDIF,SDIFRUNTIME, SDTB, SDTX, SIMG, SXBP, SXMI, SYST, TREX_ADMIN_TOOL,ZETL, ZETL_V8_0 | ||||
RFC_TYPE: FUGR | ||||
S_RFC_ADM | AAAB | Administration for RFC Destination | ACTVT: 01, 03, 06,36 | ERP, S4HANA, CRM |
ICF_VALUE: * | ||||
RFCDEST: * | ||||
RFCTYPE: * | ||||
S_DEVELOP | BC_C | ABAP Workbench | ACTVT: 01, 02, 03, 06, 16, 36 | ERP, S4HANA, CRM |
DEVCLASS: * | ||||
OBJTYPE: PROG | ||||
OBJNAME: * | ||||
P_GROUP: * | ||||
S_TABU_DIS | BC_A | Table Maintenance | ACTVT: 03 | ERP, S4HANA, CRM |
DISBERCLS: * | ||||
S_ADMI_FCD | BC_A | System Authorizations | NADM | ERP, S4HANA, CRM |
S_BTCH_JOB | BC_A | Background Processing: Operations On Background Jobs | JOBACTION: RELE | ERP, S4HANA, CRM |
JOBGROUP: * | ||||
S_DATASET | BC_A | Authorization for file access | ACTVT: 34 | ERP, S4HANA, CRM |
FILENAME: * | ||||
PROGRAM: Y*, Z* | ||||
S_XMI_PROD | BC_A | Authorization for External Management Interface | EXTCOMPANY: IBM Corp. | ERP, S4HANA, CRM |
EXTPRODUCT: DATASTAGE | ||||
INTERFACE: XBP |
Notes:
- S_DEVELOP: You can adjust the OBJNAME value according to your naming convention for ABAP programs generated by the ABAP stage (for example, specify Z_DS* instead of *)
- S_RFC_ADM (ECC6 only): You can restrict the RFCDEST value according to your naming conventions for the RFC destinations used for communication with the ABAP stage.
- SAP CTS (Change and Transport System) support: Assign the SAP-defined authorization profile S_TMW_CREATE to the user that designs the ABAP jobs. This profile grants the required authorizations to upload the ABAP program by means of a transport request to your SAP System. The user must have a developer key to create transport requests.
Role /IBMIIS/DS-RUNTIME-ABAP-V8-x
The ABAP stage authorizations for running jobs are shown in Table 2.
Table 2. ABAP stage authorizations for running jobs
Authorization Object | Authorization Class | Description | Authorization Definition | Release |
S_BGRFC | AAAB | Authorization Object for NW bgRFC | ACTVT: 02,06,95 | ERP, S4HANA, CRM |
BGRFC_D_IN : * | ||||
BGRFC_D_OU : * | ||||
BGRFC_TYPE: 03, 14, 02 | ||||
S_RFC | AAAB | Authorization Check for | ACTVT: 16 | ERP, S4HANA, CRM |
RFC Access | RFC_NAME: QOWK, | |||
RFC1,RFC_PING, SALF, /IBMIIS/*, SUGU, SDIF, SGWY, SRFC,SUGU, | ||||
SDIFRUNTIME, SXBP, SXMI, SYST, ZETL,ZETL_V8_0 | ||||
RFC_TYPE: FUGR | ||||
S_RFC_ADM | AAAB | Administration for RFC Destination | ACTVT: 01, 03, 06 | ERP, S4HANA, CRM |
ICF_VALUE: * | ||||
RFCDEST: * | ||||
RFCTYPE: * | ||||
S_TABU_DIS | BC_A | Table Maintenance | ACTVT: 03 | ERP, S4HANA, CRM |
DISBERCLS: * | ||||
S_ADMI_FCD | BC_A | System Authorizations | NADM, PADM | ERP, S4HANA, CRM |
S_BTCH_JOB | BC_A | Background Processing: | JOBACTION: RELE | ERP, S4HANA, CRM |
Operations On Background | JOBGROUP: * | |||
Jobs | ||||
S_DATASET | BC_A | Authorization for file access | ACTVT: 34 | ERP, S4HANA, CRM |
FILENAME: * | ||||
PROGRAM: Y*, Z* | ||||
S_XMI_PROD | BC_A | Authorization for External Management Interface | EXTCOMPANY: IBM Corp. | ERP, S4HANA, CRM |
EXTPRODUCT: DATASTAGE | ||||
INTERFACE: XBP | ||||
S_USER_GRP | BC_A | User Master Maintenance: User Groups | ACTVT: * | ERP, S4HANA, CRM |
CLASS: * | ||||
S_USER_PRO | BC_A | User Master Maintenance: Authorization Profile | ACTVT:* | ERP, S4HANA, CRM |
CLASS: * | ||||
S_BTCH_ADM | BC_A | Background Processing: Background Administrator | BTCADMIN: Y | ERP, S4HANA, CRM |
S_DEVELOP | BC_C | ABAP Workbench | ACTVT: 03, 16 | ERP, S4HANA, CRM |
DEVCLASS: * | ||||
OBJTYPE: PROG | ||||
OBJNAME: * | ||||
P_GROUP: * | ||||
V_VBRK_VKO | SD | Billing: Authorization for Sales Organizations | ACTVT:03 | ERP, S4HANA, CRM |
SALES ORGANIZATION: 1000 |
Notes:
- S_DEVELOP: You can adjust the OBJNAME value according to your naming convention for ABAP programs generated by the ABAP stage (for example, specify Z_DS* instead of *)
- S_RFC_ADM (ECC6 only): This authorization is only needed if you enable the automatic creation and deletion of RFC destinations. You can restrict the RFCDEST value according to your naming conventions for the RFC destinations used for communication with the ABAP stage.
BAPI stage
The BAPI stage authorizations for designing jobs are shown in Table 3. This role also contains the authorizations for running jobs.
Table 3. BAPI stage authorizations for designing jobs
Authorization Object | Authorization Class | Description | Authorization Definition | Release |
S_RFC | AAAB | Authorization Check for RFC Access | ACTVT: 16 | ERP, S4HANA, CRM |
RFC_NAME: BAPT, RFC1, SDIFRUNTIME, SEM5, SWOR, SYST, SUGU | ||||
RFC_TYPE: FUGR |
Role /IBMIIS/DS-RUNTIME-BAPI-V8-x
The BAPI stage authorizations for running jobs are shown in Table 4.
Table 4. BAPI stage authorizations for running jobs
Authorization Object | Authorization Class | Description | Authorization Definition | Release |
S_RFC | AAAB | Authorization Check for RFC Access | ACTVT: 16 | ERP, S4HANA, CRM |
RFC_NAME: SRFC, BAPT, SYST, SUGU, RFC_PING, RFC1, SDIFRUNTIME | ||||
RFC_TYPE: FUGR |
IDoc Connector stages
Assign the following standard authorization profiles to the user in addition to the customized ones below: S_IDOC_ALL and B_ALE_ALL.
Role /IBMIIS/DS-DESIGN-IDOC-V8-x
This role is intended for the design of IDoc Extract and Load jobs. It should also to be used for configuring IDoc types in DataStage Administrator for SAP. This role also contains the authorizations for running jobs. The authorizations are shown in Table 5.
Table 5. IDoc stage authorizations for designing jobs
Authorization Object | Authorization Class | Description | Authorization Definition | Release |
S_RFC | AAAB | Authorization Check for RFC Access | ACTVT: 16 | ERP, S4HANA, CRM |
RFC_NAME: EDIMEXT, RFC1, SDIFRUNTIME, SDTX, SYST,SUGU | ||||
RFC_TYPE: FUGR | ||||
S_TABU_DIS | BC_A | Table Maintenance | ACTVT: 03 | |
DISBERCLS: * |
Role /IBMIIS/DS-RUNTIME-IDOC-V8-x
This role is intended for running IDoc Extract and Load jobs. For extracting IDocs from SAP, you also need the role /IBMIIS/DS-RUNTIM-IDC-SVR-V8-x (see below).
Table 6. IDoc stage authorizations for running jobs
Authorization Object | Authorization Class | Description | Authorization Definition | Release |
S_RFC | AAAB | Authorization Check for RFC Access | ACTVT: 16 | ERP, S4HANA, CRM |
RFC_NAME: SRFC, EDIMEXT, EDIN, RFC1, SDIFRUNTIME, SYST, RFC_PING, SUGU | ||||
RFC_TYPE: FUGR |
Delta Extract stage
Role /IBMIIS/DS-DESIGN-DE-EXT-V8-x
The Delta Extract stage authorizations for designing jobs are shown in Table 7.
Table 7. Delta Extract stage authorizations for designing jobs
Authorization Object | Authorization Class | Description | Authorization Definition | Release |
S_RFC | AAAB | Authorization Check for RFC Access | ACTVT: 16 | ERP, S4HANA, CRM |
RFC_NAME: SYST, SUGU, SDTX1, /IBMIIS/*, RFC1, RODPS_REPL, SDIFRUNTIME, SDTX | ||||
RFC_TYPE: FUGR | ||||
S_TABU_DIS | BC_A | Basis: Administration | ACTVT: 03 | CRM |
Table Authorization Group: * | ||||
S_RO_OSOA | RO | Authorizations: BW Service API | ACTVT: 03 | S4HANA |
DATASOURCE: * | ||||
DATASOURCE APPLICATION COMPONENT: * | ||||
SUBOBJECT FOR DATASOURCE: DATA, DEFINITION | ||||
Role /IBMIIS/DS-RUNTIM-DE-EXT-V8-x
This role is intended for running Delta Extract jobs. You also need the role /IBMIIS/DS-RUNTIM-IDC-SVR-V8-x8-x for the IDoc Listener (see below).
Table 8. Delta Extract stage authorizations for running jobs
Authorization Object | Authorization Class | Description | Authorization Definition | Release |
B_ALE_LSYS | AAAB | ALE/EDI: Maintaining Logical Systems | LOGSYS = * | ERP, S4HANA, CRM |
B_ALE_RECV | AAAB | ALE/EDI: Receiving IDocs via RFC | EDI_MES = RSRQST | ERP, S4HANA, CRM |
S_RFC | AAAB | Authorization Check for RFC Access | ACTVT = 16 | ERP, S4HANA, CRM |
RFC_NAME = /*, /IBMIIS/*, ARFC, EDIMEXT, EDIN, ERFC, RFC1, RFC_PING, RFC_METADATA, RODPS_REPL, SUGU, SDIFRUNTIME, SDTX, SYST, Z_DS_DELTA_EXTRACT_V8_0 | ||||
RFC_TYPE = FUGR | ||||
S_TCODE | AAAB | Transaction Code Check at Transaction Start | TCD = SU53, RSA7, SALE, SM30, SM59, WE20, WE21 | ERP, S4HANA, CRM |
S_RFC_ADM | AAAB | Administration for RFC Destination | ACTVT = 01,03 | ERP, S4HANA, CRM |
ICF_VALUE = DUMMY | ||||
RFCDEST = * | ||||
RFCTYPE = 3,T | ||||
S_BTCH_ADM | BC_A | Background Processing: Background Administrator | BTCADMIN = Y | ERP, S4HANA, CRM |
S_BTCH_JOB | BC_A | Background Processing: Operations on Background Jobs | JOBACTION = RELE | ERP, S4HANA, CRM |
JOBGROUP ='' | ||||
S_CTS_ADMI | BC_A | Administration Functions in Change and Transport System | CTS_ADMFCT = TABL | ERP, S4HANA, CRM |
S_DATASET | BC_A | Authorization for file access | ACTVT = 34 | ERP, S4HANA, CRM |
FILENAME = * | ||||
PROGRAM = SAPLSTRF | ||||
S_GUI | BC_A | Authorization for GUI activities | ACTVT = 61 | ERP, S4HANA, CRM |
S_SPO_DEV | BC_A | Spool: Device authorizations | SPODEVICE = LP01 | ERP, S4HANA, CRM |
S_TABU_CLI | BC_A | Cross-Client Table Maintenance | CLIIDMAINT = X | ERP, S4HANA, CRM |
S_TABU_DIS | BC_A | Table Maintenance (via standard tools such as SM30) | ACTVT = * | ERP, S4HANA, CRM |
DICBERCLS = * | ||||
S_DEVELOP | BC_C | ABAP Workbench | ACTVT = 16 | ERP, S4HANA, CRM |
DEVCLASS = Z* | ||||
OBJNAME = Z* | ||||
OBJTYPE = DEVC, FUGR, MSAG, PROG | ||||
P_GROUP = DUMMY | ||||
S_TRANSPRT | BC_C | Transport Organizer | ACTVT = 01,03 | ERP, S4HANA, CRM |
TTYPE = DTRA, TASK | ||||
S_IDOCDEFT | BC_Z | WFEDI: S_IDOCDEFT - Access to IDoc Development | ACTVT = 01,03 | ERP, S4HANA, CRM |
EDI_CIM = DUMMY | ||||
EDI_DOC = RSINFO, RSREQUST, RSSEND, Z* | ||||
EDI_TCD = WE30 | ||||
S_IDOCMONI | BC_Z | WFEDI: S_IDOCMONI - Access to IDoc Monitoring | ACTVT = 03 | ERP, S4HANA, CRM |
EDI_DIR = 1, 2 | ||||
EDI_MES = RSRQST | ||||
EDI_PRN = * | ||||
EDI_PRT = * | ||||
EDI_TCD = '' | ||||
S_IDOCPART | BC_Z | WFEDI: S_IDOCPART - Access to Partner Profile (IDoc) | ACTVT = 01,02,03 | ERP, S4HANA, CRM |
EDI_PRN = * | ||||
EDI_PRT = LS | ||||
EDI_TCD = WE20 | ||||
S_IDOCPORT | BC_Z | WFEDI: S_IDOCPORT - Access to Port Description (IDoc) | ACTVT = 01 | ERP, S4HANA, CRM |
EDI_POR = 1 | ||||
EDI_TCD = WE21 | ||||
S_RO_OSOA | RO | SAP DataSource Authorizations | ACTVT = 03 | ERP, S4HANA, CRM |
OLTPSOURCE = * | ||||
OSOAAPCO = * | ||||
OSOAPART = DATA |
IDoc Listener
This component is used by both the IDoc Extract stage and Delta Extract stage. Assign the following standard authorization profile to the user in addition to the customized ones below: S_IDOC_ALL.
Role /IBMIIS/DS-RUNTIM-IDC-SVR-V8-x
This role is intended for the IDoc Listener component that facilitates the reception of IDocs from SAP. The specific authorizations are shown in Table 9.
Note: This role should be assigned to the SAP user specified in the default SAP logon details of the DataStage SAP connection since this is the logon the IDoc Listener uses. Figure 2 shows the location of the default SAP logon details in DataStage Administrator for SAP.
Figure 2. DataStage Administrator for SAP: Connection properties
Table 9. Authorizations for the IDoc Listener
Authorization Object | Authorization Class | Description | Authorization Definition | Release |
S_RFC | AAAB | Authorization Check for RFC Access | ACTVT: 16 | ERP, S4HANA, CRM |
RFC_NAME: RFC1, SDIFRUNTIME, SYST, SUGU, /IBMIIS/* | ||||
RFC_TYPE: FUGR |
Rapid Modeler for SAP
Assign the following standard authorization profile to the user in addition to the customized ones below: S_IDOC_ALL.
For running the generated ABAP and IDoc jobs, use the ABAP and IDoc runtime authorizations listed above.
Role /IBMIIS/DS-DESIGN-RM-V8-x
The authorizations for extracting table and IDoc metadata using the Rapid Modeler plug-in for IBM InfoSphere Data Architect are shown in Table 10.
Table 10. Authorizations for Rapid Modeler for SAP
Authorization Object | Authorization Class | Description | Authorization Definition | Release |
S_RFC | AAAB | Authorization Check for RFC access | ACTVT: 16 | ERP, S4HANA, CRM |
RFC_NAME: EDIMEXT, RFC1, SDIFRUNTIME, SDTB, SDTX, SYST,/IBMIIS/*,SALF, SAPLCRFC, SIMG,SUGU, TREX_ADMIN_TOOL, ZETL_V8_0 | ||||
RFC_TYPE: FUGR | ||||
S_TABU_DIS | BC_A | Table Maintenance | ACTVT: 03 | ERP, S4HANA, CRM |
DISBERCLS: * | ||||
S_CTS_ADMI | BC_A | Basis: Administration | CTS_ADMFCT: * | ERP, S4HANA, CRM |
S_DEVELOP | BC_C | ABAP Workbench | ACTVT: 01, 02, 03, 06, 16 | ERP, S4HANA, CRM |
DEVCLASS: * | ||||
OBJNAME: * | ||||
OBJTYPE: PROG | ||||
P_GROUP: * |
Known issues
Overlapping authorizations: Some authorization roles may cover more permissions than necessary, enabling additional actions. For example: A user with the role DS-DESIGN-ABAP-V8-1 or DS-DESIGN-BAPI-V8-1 is able to run IDoc Extract jobs, even though this capability should be limited to users with the roles DS-DESIGN-IDOC-V8-1 or DS-RUNTIME-IDOC-V8-1
Reason: Some SAP authorizations don't have the necessary granularity or overlap, resulting in excess permissions given to users. This is an internal characteristic of the SAP software and is outside the influence of IBM products.
Was this topic helpful?
Document Information
Modified date:
18 May 2020
UID
swg22016310