Knowledge Base > Automation Engine and Target Systems > SAP > SAP Security Objects

SAP Security Objects

SAP authorizations required for AE jobs depend on the particular installation and on the range of functions used in AE. What is shown below are authorization objects which are necessary for the CPIC userIn the Automation Engine, a user is an instance of a User object, and generally the user is a specific person who works with Automic products. The User object is assigned a user ID and then a set of access rights to various parts of the Automation Engine system and product suite. These access rights come in the form of Automation Engine authorizations and privileges, Decision user roles and EventBase rights and ARA web application object rights. You can manage all these centrally in the ECC user management functions. See also, Unified user management. in order to provide maximum functionality.

For understanding the following table, knowledge of SAP authorization concepts is assumed.

Authorization Object Connection to AE Field name Values

S_RFC

When the Profile Parameter auth/rfc_authority_check is set, SAP checks if the RFC user is allowed to call the given functionPre-defined run book template in the Automation Engine. One single step only, e.g. Start Windows Service, Copy file,… groupAn Automation Engine object type that integrates tasks so that they can be processed together..

ACTVT RFC_NAME RFC_TYPE

*
*
*

S_BTCH_JOB
Batch Processing: Operations on batch jobs

AE creates SAP jobs dynamically and needs the authorization to plan, monitor and releaseReleases combine a set of activities and a set of packages as well as other release artifacts under a timeline (a plan including milestones and phases), which can be planned, baselined and tracked. jobs. In addition, AE creates jobs in order to process BDC sessions, thereby using the standard ABAP program RSBDCBTC.

JOBACTION
JOBGROUP

*
*

S_BTCH_ADM
Background Processing: Background Administrator

In order to run existing SAP jobs, AE must change the respectiveJo bs. The AE and standard interfaces use the standard function module BP_JOB_MODIFY to run jobs. This requires batch-administrator authorization. This type of authorization is also required for retrieving the Spool List of a jobAn Automation Engine object type for a process that runs on a target system. in case the CPIC user is not the job creator.

Attention: S_BTCH_ADM allows the clientA closed environment within an Automation Engine system where you can create and run objects. A client name consists of a 4-digit number that must be indicated when a user logs on to the Automation Engine system. Users and their rights are also defined in clients. A particular Automation Engine object type.-independent selection of existing jobs. If the AE JCL statement R3_ACTIVATE_JOBS is processed with a CPIC user having this authorization, AE possibly starts jobs in several SAP clients, depending on the specified selection criteria (such as the same job name in 2 SAP clients)

BTCADMIN

Y

S_BTCH_NAM

In order to create and run jobs for any other SAP user, the CPIC user must be authorized to specify the user nameName of the Automation Engine user..

BTCUNAME

*

S_SPO_DEV
Spooler: Device Authorization

In order to specify the printing parameter 'print immediately' within a job step, the CPIC user must be authorized to access the corresponding printing device.

SPODEVICE

*

S_TMS_ACT

In order to transfer the cover page of a Spool List back to AE, it is helpful to see the parameters of the variant which was used to run the ABAP. This information is part of the cover page.

STMSACTION
STMSOBJECT
STMSOWNER

*
*
*

S_XMI_PROD

This objectAutomation Engine controlled activities and processes are structured in the form of objects. See also: Task is used to log on to the Standard Interface. Before Calling functions of an External Interface, the External Application has to Log on to the Interface.

EXTCOMPANY
EXTPRODUCT
INTERFACE

*
*
*

S_XMI_LOG

Not necessary for AE, but when using the standard interface, entries into the XMI log are created (Online Transaction Code RZ15). This authorization is required to view them or to clear the log.

-

-

S_WFAR_OBJ
ArchiveLink Authorizations for accessing Documents

AE allows the specification of Archive Parameters (object type, document type...). This includes that the printing listShows entities in a grid view of an ABAP program can be transferred to an optical archive immediately. This only makes sense if an optical archive system is installed for the SAP system.

ACTVT
OAARCHIV
OADOCUMENT
OAOBJEKTE

*
*
*
*

S_WFAR_PRI
ArchiveLink Authorizations for accessing Print Lists

In order to create printing lists within an optical archive, the CPIC user must have the corresponding authorization.

ACTVT
OAARCHIV
OADOKUMENT
OAOBJEKTE
PROGRAM

*
*
*
*
*

S_PROGRAM
ABAP: Program run checks

AE needs this authorization object to schedule ABAP programs that are assigned to authorization groups (Authorization field P_ACTION = BTCSUBMIT) and to manage variants (Authorization field P_ACTION = VARIANT).

P_ACTION
P_GROUP

BTCSUBMIT,VARIANT
*

S_SPO_ACT
Spool: Actions

In order to transfer Spool Lists not created from the CPIC user, the field SPOACTION has to allow the actions BASE and DISP for the corresponding users.

SPOACTION
SPOAUTH

BASE,DISP
*

S_ADMI_FCD
System Authorizations

In order to transfer Spool Lists not created from the CPIC user, the field S_ADMI_FCD has to allow the actions at least the actionActions are predefined building blocks for recurring activities. They are commonly used for managing third party systems or in deployment scenarios. SP0R.

S_ADMI_FCD

SP0R

S_RS_ISRCM Only needed if the Business Warehouse Function BW_ACTIVATE_CHAIN is used. RSAPPLNM RSOSOURCE RSISRCOBJ ACTVT *
*
*
*

S_RS_ISOUR Administrator Workbench - InfoSource (Flexible Update)

Only needed if the Business Warehouse Function BW_ACTIVATE_INFOPACKAGE is used and Flexible Update is used.

ACTVT RSAPPLNM RSISOURCE RSISRCOBJ

*
*
*
*

S_RS_ISOUR Administrator Workbench - InfoSource (Direct Update)

Only needed if the Business Warehouse Function BW_ACTIVATE_INFOPACKAGE is used and Direct Update is used.

ACTVT RSAPPLNM RSISOURCE RSISRCOBJ

*
*
*
*

S_DEVELOP ABAP Workbench

Only needed if the Business Warehouse Function BW_ACTIVATE_CHAIN is used.

ACTVT DEVCLASS OBJNAME OBJTYPE P_GROUP

*
*
*
*
*

S_RS_ICUBE Administrator Workbench - InfoCube

Only needed if the Business Warehouse Function BW_ACTIVATE_CHAIN is used.

ACTVT RSICUBEOBJ RSINFOAREA RSINFOCUBE

*
*
*
*

S_RS_ADMWB Administrator Workbench - Objects

Only needed if the Business Warehouse Functions are used.

ACTVT RSADMWBOBJ

*
*

S_RS_DS Only needed if the Business Warehouse Functions are used.    
S_RS_DTP Only needed if the Business Warehouse Functions are used.    
S_RS_ODSO Only needed if the Business Warehouse Functions are used.    
S_RS_PC Only needed if the Business Warehouse Functions are used.    

S_RZL_ADM

Releasing intercepted jobs (RemoteTaskManagerIt monitors and controls external Jobs that were not started by the Automation Engine (AE). An AE object type. [Formerly called "QueueManager."], R3_activate_intercepted_jobs)

ACTVT

01

S_TABU_DIS For using SAP Forms ACTVT
DICBERCLS
03
SPFL

-

No specific SAP authorizations are necessary for additional AE functions, as there is no security risk.

 

 

*) Automic recommends creating your authorizations in accordance with your naming conventions.

For using minimum AE functionality, it is necessary to provide the RFC user with a user profile that contains the authorization object S_BTCH_JOB. It must contain the standard authorization S_BTCH_ALL or an authorization where the fields are filled in as follows:

Activities in jobs: DELE, PLAN, PROT, RELE, SHOW
Summarizing jobs for a group: *

 


Automic Documentation - Tutorials - Automic Blog - Resources - Training & Services - Automic YouTube Channel - Download Center - Support

Copyright © 2016 Automic Software GmbH