/
(OH-2202) Required SAP authorisations per task

(OH-2202) Required SAP authorisations per task

Owned by SNP
Feb 11, 2022
6 min read

We were often asked to provide just a minimal set of authorizations due to security audit reasons. Therefore here you can find the required authorizations for particular housekeeping activity. You are then able to create a special role that will contain only authorizations that are needed for the execution of desired housekeeping activities.

Common authorizations for execution

These authorizations are commonly requested for the execution of the HK activity on satellite systems and these are minimal authorization to execute any activity.

Object

Field

Value

Object

Field

Value

S_RFC

ACTVT

16

S_RFC

RFC_NAME

SYST, /DVD/FS_RFC, /DVD/FS_TASK, SUNI, /DVD/FS_TH, /DVD/FS_SET,

S_RFC

RFC_TYPE

FUGR

S_BTCH_ADM

BTCADMIN

Y

S_BTCH_JOB

JOBACTION

RELE

S_BTCH_JOB

JOBGROUP

''

/DVD/ERNA

/DVD/FSGRP

SYS

/DVD/ERNA

/DVD/FSTSK

EXEC

/DVD/ERNA

/DVD/FSACT

03

/DVD/RL

ACTVT

16

Application logs

No additional authorization is needed.

RFC Logs Deletion

No additional authorization is needed.

TemSe Objects Consistency Check

No additional authorization is needed.

XML Messages Deletion

Exact in /dvd/erna_user

Object

Field

Value

Object

Field

Value

S_XMB_AUTH

SXMBAREA

CONFIG, MESSAGE

S_XMB_AUTH

ACTVT

02, 65

Single Z* Table Cleanup

No additional authorization is needed.

HANA Audit Log Cleanup

No additional authorization is needed.

HANA Traces Cleanup

No additional authorization is needed.

DB Statistics Rebuild

No additional authorization is needed.

Outboard Archiving for ERP - perf. statistics cleanup

Object

Field

Value

Object

Field

Value

S_APPL_LOG

ALG_OBJECT

/DVD/CRP

S_APPL_LOG

ALG_SUBOBJ

/DVD/CRP_STAT

S_APPL_LOG

ACTVT

03

S_GUI

ACTVT

61

S_SPO_DEV

SPODEVICE

LP01

 

Intermediate Documents Archiving

Object

Field

Value

Object

Field

Value

S_IDOCCTRL

ACTVT

24

S_IDOCCTRL

EDI_TCD

 

S_ARCHIVE

APPLIC

BC

S_ARCHIVE

ARCH_OBJ

IDOC

S_ARCHIVE

ACTVT

01

Work Items Archiving

Object

Field

Value

Object

Field

Value

S_ADMI_FCD

S_ADMI_FCD

ST0R

S_ARCHIVE

APPLIC

BC

S_ARCHIVE

ARCH_OBJ

WORKITEM

S_ARCHIVE

ACTVT

01

Change Documents Archiving

Object

Field

Value

Object

Field

Value

S_ADMI_FCD

S_ADMI_FCD

ST0R

S_ARCHIVE

APPLIC

BC

S_ARCHIVE

ARCH_OBJ

CHANGEDOCU

S_ARCHIVE

ACTVT

01

S_SCD0_OBJ

ACTVT

12

S_SCD0_OBJ

OBJECTCLAS

<Change Document Objects, that you want to archive> or use * to allow all values

Links Deletion between ALE and IDocs

Object

Field

Value

Object

Field

Value

S_GUI

ACTVT

61

IDocs deletion

Object

Field

Value

Object

Field

Value

S_IDOCCTRL

ACTVT

06

S_IDOCCTRL

EDI_TCD

WE11

PLOG

PLVAR

01

PLOG

OTYPE

 

PLOG

INFOTYP

AP, ID, ME, TS, WS

PLOG

SUBTYP

 

PLOG

ISTAT

 

PLOG

PPFCODE

 

IDocs Deletion (Central system release >= 740)

Object

Field

Value

Object

Field

Value

S_IDOCCTRL

ACTVT

06

S_IDOCCTRL

EDI_TCD

WE11

PLOG

PLVAR

01

PLOG

OTYPE

 

PLOG

INFOTYP

AP, ID, ME, TS, WS

PLOG

SUBTYP

 

PLOG

ISTAT

 

PLOG

PPFCODE

DISP

BCS Reorganization of Documents and Send Requests

Object

Field

Value

Object

Field

Value

S_OC_ROLE

OFFADMI

ADMINISTRATOR

S_GUI

ACTVT

61

Documents from Hidden Folder Deletion

Object

Field

Value

Object

Field

Value

S_OC_ROLE

OFFADMI

ADMINISTRATOR

S_GUI

ACTVT

61

Reorganization Program for Table SNAP of Short Dumps

Missing authorization in /DVD/ERNA_USER

Object

Field

Value

Object

Field

Value

S_ADMI_FCD

S_ADMI_FCD

ST22

Table Log Database Management

Object

Field

Value

Object

Field

Value

S_TCODE

TCD

SCU3_DEL

S_TABU_NAM

ACTVT

02

S_TABU_NAM

TABLE

DBTABLOG

S_TABU_CLI

CLIIDMAINT

X

Spool Administration

Object

Field

Value

Object

Field

Value

S_TCODE

TCD

SPAD

S_ADMI_FCD

S_ADMI_FCD

SPAD, PADM, SPAA, SPAB, SPAC

Tool for Analyzing and Processing VB Request

No additional authorization is needed.

Delete Statistics Data from the Job Run-time Statistics

No additional authorization is needed.

Batch Input: Reorganize Sessions and Logs

Object

Field

Value

Object

Field

Value

S_BDC_MONI

BDCAKTI

REOG

S_BDC_MONI

BDCGROUPID

*

Delete Old Spool Requests

Object

Field

Value

Object

Field

Value

S_SPO_ACT

SPOACTION

BASE, DELE

S_SPO_ACT

SPOAUTH

<user names who’s spool's can be processed> or use * to allow all values

S_ADMI_FCD

S_ADMI_FCD

SP0R, SPAD

Deletion of Jobs

Object

Field

Value

Object

Field

Value

S_GUI

ACTVT

61

Orphaned Job Logs Deletion

Object

Field

Value

Object

Field

Value

S_BTCH_JOB

JOBACTION

DELE

S_BTCH_JOB

JOBGROUP

*

Spool Files Consistency Check

Object

Field

Value

Object

Field

Value

S_ADMI_FCD

S_ADMI_FCD

SPAD

Administration Tables for Bg Processing Consistency Check

No additional authorization is needed.

Orphaned Temporary Variants Deletion

No additional authorization is needed.

Reorganization of Print Parameters for Background Jobs

Object

Field

Value

Object

Field

Value

S_GUI

ACTVT

61

Reorganization of XMI Logs

Object

Field

Value

Object

Field

Value

S_XMI_LOG

XMILOGACC

REORG

Delete History Entries for Processed XML Messages

Object

Field

Value

Object

Field

Value

S_XMB_AUTH

SXMBAREA

MESSAGE

S_XMB_AUTH

ACTVT

65

Spool Data Consistency Check in Background

Object

Field

Value

Object

Field

Value

S_ADMI_FCD

S_ADMI_FCD

SPAD

ADSO ChangeLog cleanup

Object

Field

Value

Object

Field

Value

S_ADMI_FCD

S_ADMI_FCD

PADM

PSA Cleanup

Object

Field

Value

Object

Field

Value

S_ADMI_FCD

S_ADMI_FCD

PADM

ChangeLog Cleanup

Object

Field

Value

Object

Field

Value

S_ADMI_FCD

S_ADMI_FCD

PADM

Cube Compression Analysis

No additional authorization is needed.

Cube Compression

Object

Field

Value

Object

Field

Value

S_ADMI_FCD

S_ADMI_FCD

PADM

S_RS_TR

RSTLOGOSRC

ODSO

S_RS_TR

RSSTTRSRC

 

S_RS_TR

RSOBJNMSRC

<Name of the source object> or use * to allow all values

S_RS_TR

RSTLOGOTGT

CUBE

S_RS_TR

RSSTTRTGT

 

S_RS_TR

RSOBJNMTGT

<Name of the cube for compression object> or use * to allow all values

S_RS_TR

ACTVT

03

Cube DB Statistics Rebuild [OBSOLETE]

No additional authorization is needed.

BI Background Processes Deletion

No additional authorization is needed.

BW Statistics Deletion

No additional authorization is needed.

Bookmark Cleanup

No additional authorization is needed.

Web Template Cleanup

No additional authorization is needed.

Precalculated Web Template Cleanup

No additional authorization is needed.

Unused Dimension Entries of an InfoCube Cleanup

No additional authorization is needed.

Query Objects Deletion

Object

Field

Value

Object

Field

Value

S_RS_COMP

RSINFOAREA

<InfoAreas that you can process> or use * to allow all values

S_RS_COMP

RSINFOCUBE

<InfoProvider that you can process> or use * to allow all values

S_RS_COMP

RSZCOMPTP

REP

S_RS_COMP

RSZCOMPID

<Name of the queries that you want to process> or use * to allow all values

S_RS_COMP

ACTVT

03, 06

S_RS_COMP1

RSZCOMPID

<Name of the queries that you want to process> or use * to allow all values

S_RS_COMP1

RSZCOMPTP

REP

S_RS_COMP1

RSZOWNER

<User name of the owner of the query> or use * to allow all values

S_RS_COMP1

ACTVT

03, 06

S_ALV_LAYO

ACTVT

23

S_CTS_ADMI

CTS_ADMFCT

TABL

Workbook and Role Storage Cleanup

Object

Field

Value

Object

Field

Value

S_USER_AGR

ACT_GROUP

<Authorisation roles that you can process> or use * to allow all values

S_USER_AGR

ACTVT

02

S_USER_TCD

TCD

*

BusinessObjects: Office Cleanup

No additional authorization is needed.

Workbook Cleanup

Object

Field

Value

Object

Field

Value

S_BDS_DS

ACTVT

30

S_BDS_DS

CLASSNAME

BW_CATALOG

S_BDS_DS

CLASSTYPE

OT

Tables Buffering on Application Server

No additional authorization is needed.

Number Range Buffering

No additional authorization is needed.

Enablement for archiving request admin. data for ADSOs

No additional authorization is needed.

Archiving of Request Administration Data

Object

Field

Value

Object

Field

Value

S_ARCHIVE

APPLIC

BW

S_ARCHIVE

ARCH_OBJ

BWREQARCH

S_ARCHIVE

ACTVT

01, 02

Archiving of BI Authorization Protocols

Object

Field

Value

Object

Field

Value

S_ARCHIVE

APPLIC

BW

S_ARCHIVE

ARCH_OBJ

RSECPROT

S_ARCHIVE

ACTVT

01

BW Request Status Management cleanup

Object

Field

Value

Object

Field

Value

S_ADMI_FCD

S_ADMI_FCD

PADM

S_RS_ADSO

RSINFOAREA

<InfoAreas that you can process> or use * to allow all values

S_RS_ADSO

RSOADSONM

<ADSO name>

S_RS_ADSO

RSOADSOPAR

DATA

S_RS_ADSO

ACTVT

06

S_GUI

ACTVT

61

S_SPO_DEV

SPODEVICE

LP01

Metadata of object versions cleanup

Object

Field

Value

Object

Field

Value

S_RS_HIST

RSTLOGO

ADSO, APCO, AREA, CUBE, DAPA, DTPA, EVEN, FBPA, HCPR, IOBC, IOBJ, ISCS, ISET, ISFS, ISIP, ISMP, ISTD, LPOA, MPRO, ODSO, ROUT, RSDS, RSPC, RSPT, RSPV, TRFN, UPDR

S_RS_HIST

RSOBJNAME

*

S_RS_HIST

ACTVT

V4

Deletion of orphaned Entries in Errorstack/Log

Object

Field

Value

Object

Field

Value

S_ADMI_FCD

S_ADMI_FCD

PADM

S_RS_TR

RSTLOGOSRC

<Type of source> or use * to allow all values

S_RS_TR

RSSTTRSRC

<Subtype of the Source> or use * to allow all values

S_RS_TR

RSOBJNMSRC

<Source> or use * to allow all values

S_RS_TR

RSTLOGOTGT

<Type of target> or use * to allow all values

S_RS_TR

RSSTTRTGT

<Subtype of the Target> or use * to allow all values

S_RS_TR

RSOBJNMTGT

<Target> or use * to allow all values

S_RS_TR

ACTVT

03

Clean up the DTP Runtime Buffer

Object

Field

Value

Object

Field

Value

S_ADMI_FCD

S_ADMI_FCD

PADM

Operational Delta Queue cleanup

Object

Field

Value

Object

Field

Value

S_PROGRAM

P_GROUP

SODQADM

S_PROGRAM

P_ACTION

VARIANT, SUBMIT

Process Chain Logs and Assigned Process Logs Deletion

No additional authorization is needed.

Process Chain Instances Deletion

No additional authorization is needed.

Automatic Deletion of Request Info in Master Data/Text Prov.

Object

Field

Value

Object

Field

Value

S_ADMI_FCD

S_ADMI_FCD

PADM

Unused Master Data Deletion

No additional authorization is needed.

Error Handling Logs Analysis

No additional authorization is needed.

Error Handling Logs Deletion

No additional authorization is needed.

PSA Requests Error Logs Deletion

No additional authorization is needed.

Zero Elimination After Compression

No additional authorization is needed.

Cluster Table Reorganization

No additional authorization is needed.

BEx Web Application Bookmarks Cleanup

Object

Field

Value

Object

Field

Value

S_RFC

RFC_TYPE

FUGR

S_RFC

RFC_NAME

SBDC

S_RFC

ACTVT

16

S_TCODE

TCD

/DVD/FS_RSRD_AD_BM

BEx Web Application 3.x Bookmarks Cleanup

Object

Field

Value

Object

Field

Value

S_TCODE

TCD

/DVD/FS_RSRD_AD_BM3X

BEx Broadcaster Bookmarks Cleanup

Object

Field

Value

Object

Field

Value

S_RS_ADMWB

RSADMWBOBJ

BR_SETTING

S_RS_ADMWB

ACTVT

03, 16, 23

S_BTCH_JOB

JOBACTION

DELE, RELE

S_BTCH_JOB

JOBGROUP

*

Jobs without Variants Deletion

No additional authorization is needed.

Delete BW RSTT Traces

Object

Field

Value

Object

Field

Value

S_RS_RSTT

RSTTBOBJ

TRACE

S_RS_RSTT

USER

<User Name in User Master Record> or use * to allow all values

S_RS_RSTT

ACTVT

06

Deletion of old runID

No additional authorization is needed.

RecycleBin Cleanup

No additional authorization is needed.

RecycleBin Size Recalculation

No additional authorization is needed.

Task Analysis

Object

Field

Value

Object

Field

Value

S_ADMI_FCD

S_ADMI_FCD

PADM

/DVD/RLANM

ACTVT

16

Scheduling of System Lock

No additional authorization is needed.

Cancel Scheduled System Lock (ad hoc)

No additional authorization is needed.