(SM-2305) Managing SAP Authorizations & Roles

Table of Contents:

SNP Storage Management Authorizations

For the creation or modification of any storage, you need access to transaction /DVD/SM_SETUP.

SNP Storage Management provides you with complete control over individual actions. Authorizations can be turned on/off in the table /DVD/SM_AUTH_OBJ.

The authorization object used is /DVD/STOR. Its fields are:

  • STOR_ID: Restrict user access based on Storage ID.

  • STOR_TYPE: Restrict user access based on Storage type.

  • SM_ACTION: Restrict user actions.

Available actions:

  • SM_SETUP_EDIT: Allows the user to switch to edit mode.

  • DISPLAY_STORAGE: Allows the user to display storage settings (double-click on storage).

  • CREATE_STORAGE: Allows the user to create new storage.

  • EDIT_STORAGE: Allows the user to edit storage.

  • DELETE_STORAGE: Allows the user to delete storage.

  • EDIT_JCO: Allows the user to edit JCO settings.

Database storage

All the database storage requires is the setup of Common authorization objects, and also the specific authorizations (unless stated otherwise).

Common authorization objects for database storages

Authorization object S_RFC_ADM (not needed in Open SQL storages: MSSQL, DB2, SIQ, ORACLE).

  • Auth. field: Activity ACTVT: 03

  • Auth. field: Internet Communication Framework Values ICF_VALUE: -

  • Auth. field: Logical Destination (specified in Function Call) RFCDEST: JCO2_SERVER (name of RFC for your JCO)

  • Auth. field: Type of Entry in RFCDES RFCTYPE: -

Authorization object S_DEVELOP

  • Auth. field: Activity ACTVT: 40 (40 - Create in DB)

  • Auth. field: Package DEVCLASS: -

  • Auth. field: Object name OBJNAME: Z*, Y* (needed starting letter of tables according to customer’s naming conventions)

  • Auth. field: Object Type OBJTYPE: TABL

  • Auth. field: Authorization group ABAP/4 program P_GROUP: -

Authorization object S_GUI

  • Auth. field: Activity ACTVT: 61

MS Azure Synapse

Storage type: AZURE_SDSP

Authorization object /DVD/RL

  • Auth. field: Activity ACTVT: 16 (16 - Execute)

Snowflake

Storage type: SNOWFLAKE

Authorization object /DVD/RL

  • Auth. field: Activity ACTVT: 16 (16 - Execute)

Google Big Query

Storage type: BIGQUERY

Authorization object S_DATASET

  • Auth. field: Activity ACTVT: 06, 33, 34 (this depends on DB operations: 06 - Delete, 33 - Read, 34 - Write, A6 - Read with filter, A7 - Write with filter)

  • Auth. field: Physical file name FILENAME: TMP*, /tmp/*

  • Auth. field: Program Name with Search Help PROGRAM: /DVD/SM_BIN_GCS_CONT_FTMP=====CP

Authorization object /DVD/RL

  • Auth. field: Activity ACTVT: 16 (16 - Execute)

Amazon Redshift

Storage type: REDSHIFT

Authorization object S_DATASET

  • Auth. field: Activity ACTVT: 06, 33, 34 (this depends on operations on DB: 06 - Delete, 33 - Read, 34 - Write, A6 - Read with filter, A7 - Write with filter)

  • Auth. field: Physical file name FILENAME: /tmp/*

  • Auth. field: Program Name with Search Help PROGRAM: /DVD/SM_BIN_AWSS3_CL_CONT_FTMPCP

Authorization object /DVD/RL

  • Auth. field: Activity ACTVT: 16 (16 - Execute)

Hive/Impala

Storage type: SM_TRS_MS

Authorization object S_RFC_ADM

  • Auth. field: Activity ACTVT: 03 (03 - display)

  • Auth. field: Internet Communication Framework Values ICF_VALUE: -

  • Auth. field: Logical Destination (specified in Function Call) RFCDEST: HADOOP_SKBTSCCK21_HTTPFS (HTTP RFC destination, this will be a value in /DVD/SM_SETUP → Hive configuration → Hadoop tab)

  • Auth. field: Type of Entry in RFCDES RFCTYPE: -

Authorization object S_LOG_COM

  • Auth. field: Logical command name COMMAND: ZDVD_MKDIR

  • Auth. field: Name of Current Application Server HOST: vsks035 (application server name)

  • Auth. field: Operating System of Application Server OPSYSTEM: Linux

Authorization object S_DATASET

  • Auth. field: Activity ACTVT: 33 (33 - Read)

  • Auth. field: Physical file name FILENAME: /usr/sap/NSQ/DVEBMGS32/work/dvd_conn/JCO (path to dvdjavaconnector.jar on application server)

  • Auth. field: Program Name with Search Help PROGRAM: /DVD/SAPLSAP_JAVA_UTIL

Authorization object /DVD/RL

  • Auth. field: Activity ACTVT: 16 (16 - Execute)

MSSQL, Oracle, HANA DB

Storage type: SM_TRS_MSSQL, SM_TRS_ORA, SM_TRS_HDB

Authorization object S_CTS_SADM

  • Auth. field: Administration Tasks for Change and Transport System CTS_ADMFCT: TABL

  • Auth. field: Logical system DESTSYS: NSQ (SAP system name)

  • Auth. field: TMS: Transport Domain DOMAIN: DOMAIN_NSD (value can be found in the transaction STMS → field Transp. Domain)

Authorization object S_CTS_ADMI

  • Auth. field: Administration Tasks for Change and Transport System CTS_ADMFCT: TABL

Authorization object S_DEVELOP

  • Auth field: Activity ACTVT: 40, 42 (40 - Create in DB, 42 - Convert to DB)

  • Auth field: Package DEVCLASS: -

  • Auth field: Object name OBJNAME: Z*, Y* (needed starting letter of Views according to customer’s naming conventions)

  • Auth field: Object Type OBJTYPE: VIEW

  • Auth field: Authorization group ABAP/4 program P_GROUP: -

SIQ

Storage type: SM_TRS_SIQ

Authorization object S_CTS_SADM

  • Auth. field: Administration Tasks for Change and Transport System CTS_ADMFCT: TABL

  • Auth. field: Logical system DESTSYS: NSQ (SAP system name)

  • Auth. field: TMS: Transport Domain DOMAIN: DOMAIN_NSD (value can be found in the transaction STMS → field Transp. Domain)

Authorization object S_CTS_ADMI

  • Auth. field: Administration Tasks for Change and Transport System CTS_ADMFCT: TABL

DB2

Storage type: SM_TRS_DB2

No additional authorizations are required.

File storage

All the file storage requires is the setup of Common authorization objects for file storage and storage-specific authorizations.

Common authorization objects for file storage

Authorization object S_RFC_ADM (not needed in Open SQL storages: MSSQL, DB2, SIQ, ORACLE)

  • Auth field: Activity ACTVT: 03

  • Auth field: Internet Communication Framework Values ICF_VALUE: -

  • Auth field: Logical Destination (specified in Function Call) RFCDEST: JCO2_SERVER (name of RFC for your JCO /DVD/JCO_MNG)

  • Auth field: Type of Entry in RFCDES RFCTYPE: -

Authorization object S_GUI

  • Auth field: Activity ACTVT: 61

MS Azure ADLS Gen 2 + Azure Blob

Storage type: ADLS_GEN2, AZURE_BLOB

No additional authorizations are required.

AWS S3

Storage type: AWS_S3

Authorization object S_DATASET

  • Auth. field: Activity ACTVT: 06, 33, 34 (this depends on operations on DB: 06 - Delete, 33 - Read, 34 - Write, A6 - Read with filter, A7 - Write with filter)

  • Auth. field: Physical file name FILENAME: /tmp/*

  • Auth. field: Program Name with Search Help PROGRAM: /DVD/SM_BIN_AWSS3_CL_CONT_FTMPCP

Authorization object /DVD/RL

  • Auth. field: Activity ACTVT: 16 (16 - Execute)

Google cloud storage

Storage type: GCS

Authorization object S_DATASET

  • Auth. field: Activity ACTVT: 06, 33, 34 (this depends on DB operations: 06 - Delete, 33 - Read, 34 - Write, A6 - Read with filter, A7 - Write with filter)

  • Auth. field: Physical file name FILENAME: *

  • Auth. field: Program Name with Search Help PROGRAM: /DVD/SM_BIN_GCS_CONT_FTMP=====CP

Authorization object /DVD/RL

  • Auth. field: Activity ACTVT: 16 (16 - Execute)

HDFS (Hadoop Distributed File Storage)

Storage type: HADOOP

Authorization object S_RFC_ADM

  • Auth. field: Activity ACTVT: 03 (03 - display)

  • Auth. field: Internet Communication Framework Values ICF_VALUE: -

  • Auth. field: Logical Destination (specified in Function Call) RFCDEST: HADOOP_SKBTSCCK21_HTTPFS (HTTP RFC destination, this will be a value in /DVD/SM_SETUP → Hive configuration → Hadoop tab)

  • Auth. field: Type of Entry in RFCDES RFCTYPE: -

Authorization object /DVD/RL

  • Auth. field: Activity ACTVT: 16 (16 - Execute)

Application server storage (File storage)

Storage type: BINFILE

Authorization object S_LOG_COM

  • Auth. field: Logical command name COMMAND: ZDVD_MKDIR, ZDVD_CHCKDIR, ZDVD_RMDIR

  • Auth. field: Name of Current Application Server HOST: vsks035 (application server name)

  • Auth. field: Operating System of Application Server OPSYSTEM: Linux

Authorization object S_DATASET

  • Auth. field: Activity ACTVT: 06, 33, 34 (this depends on DB operations: 06 - Delete, 33 - Read, 34 - Write, A6 - Read with filter, A7 - Write with filter)

  • Auth. field: Physical file name FILENAME: /tmp/*

  • Auth. field: Program Name with Search Help PROGRAM: /DVD/SM_CL_FILE_STORAGE=======CP, /DVD/SM_CL_FILE_CONTAINER=====CP

Blob storage (primary database)

Storage type: BLOB

Authorization object S_DEVELOP

  • Auth field: Activity ACTVT: 40 (40 - Create in DB)

  • Auth field: Package DEVCLASS: -

  • Auth field: Object name OBJNAME: Z*, Y* (needed starting letter of tables according to customer’s naming conventions)

  • Auth field: Object Type OBJTYPE: TABL

  • Auth field: Authorization group ABAP/4 program P_GROUP: -

Snowflake internal stage

Storage type: BLOB

Authorization object /DVD/RL

  • Auth. field: Activity ACTVT: 16 (16 - Execute)

Transparent-binary storage

Transparent binary storage provides an additional logic to accomplish classic transparent RDB-like functionality for file storage.

The functionality is available for the following file storage:

  • MS Azure ADLS Gen 2, Azure Blob

  • AWS S3

  • Google Cloud Storage

  • HDFS

  • Files stored on a standard file system

  • Blob storage (primary database)

The storage requires authorizations from the common section, and individual file storage authorizations are described in separate sections.

Storage type: SM_TRS_BIN

Common authorization objects for transparent-binary storage

Authorization object S_RFC_ADM (not needed in Open SQL storages: MSSQL, DB2, SIQ, ORACLE)

  • Auth. field: Activity ACTVT: 03

  • Auth. field: Internet Communication Framework Values ICF_VALUE: -

  • Auth. field: Logical Destination (specified in Function Call) RFCDEST: JCO2_SERVER (name of RFC for your JCO /DVD/JCO_MNG)

  • Auth. field: Type of Entry in RFCDES RFCTYPE: -

Authorization object S_CTS_SADM

  • Auth. field: Administration Tasks for Change and Transport System CTS_ADMFCT: TABL

  • Auth. field: Logical system DESTSYS: NSQ (SAP system name)

  • Auth. field: TMS: Transport Domain DOMAIN: DOMAIN_NSD (value can be found in the transaction STMS → field Transp. Domain)

Authorization object S_CTS_ADMI

  • Auth. field: Administration Tasks for Change and Transport System CTS_ADMFCT: TABL

Authorization object S_GUI

  • Auth field: Activity ACTVT: 61

Transparent-binary on Azure ADLS Gen 2, Azure Blob

No additional authorizations are required.

Transparent-binary on AWS S3

Authorization object S_DATASET

  • Auth. field: Activity ACTVT: 06, 33, 34 (this depends on operations on DB: 06 - Delete, 33 - Read, 34 - Write, A6 - Read with filter, A7 - Write with filter)

  • Auth. field: Physical file name FILENAME: /tmp/*

  • Auth. field: Program Name with Search Help PROGRAM: /DVD/SM_BIN_AWSS3_CL_CONT_FTMPCP

Authorization object /DVD/RL

  • Auth. field: Activity ACTVT: 16 (16 - Execute)

Transparent binary on Google cloud storage

Authorization object S_DATASET

  • Auth. field: Activity ACTVT: 06, 33, 34 (this depends on DB operations: 06 - Delete, 33 - Read, 34 - Write, A6 - Read with filter, A7 - Write with filter)

  • Auth. field: Physical file name FILENAME: *

  • Auth. field: Program Name with Search Help PROGRAM: /DVD/SM_BIN_GCS_CONT_FTMP=====CP

Authorization object /DVD/RL

  • Auth. field: Activity ACTVT: 16 (16 - Execute)

Transparent-binary on Hadoop HDFS

Authorization object S_RFC_ADM

  • Auth. field: Activity ACTVT: 03 (03 - display)

  • Auth. field: Internet Communication Framework Values ICF_VALUE: -

  • Auth. field: Logical Destination (specified in Function Call) RFCDEST: HADOOP_SKBTSCCK21_HTTPFS (HTTP RFC destination, this will be a value in /DVD/SM_SETUP → Hive configuration → Hadoop tab)

  • Auth. field: Type of Entry in RFCDES RFCTYPE: -

Transparent binary on Application server storage (File storage)

Authorization object S_LOG_COM

  • Auth. field: Logical command name COMMAND: ZDVD_MKDIR, ZDVD_CHCKDIR, ZDVD_RMDIR

  • Auth. field: Name of Current Application Server HOST: vsks035 (application server name)

  • Auth. field: Operating System of Application Server OPSYSTEM: Linux

Authorization object S_DATASET

  • Auth. field: Activity ACTVT: 06, 33, 34 (this depends on DB operations: 06 - Delete, 33 - Read, 34 - Write, A6 - Read with filter, A7 - Write with filter)

  • Auth. field: Physical file name FILENAME: /tmp/*

  • Auth. field: Program Name with Search Help PROGRAM: /DVD/SM_CL_FILE_STORAGE=======CP, /DVD/SM_CL_FILE_CONTAINER=====CP

Transparent binary on Blob storage (primary database)

No additional authorizations are required.