(SM-2405) Managing SAP Authorizations & Roles
Table of Contents:
- 1 SNP Storage Management Authorizations
- 2 Database storage
- 3 File storage
- 4 Transparent-binary storage
- 4.1 Common authorization objects for transparent-binary storage
- 4.2 Transparent-binary on Azure ADLS Gen 2, Azure Blob
- 4.3 Transparent-binary on AWS S3
- 4.4 Transparent binary on Google cloud storage
- 4.5 Transparent-binary on Hadoop HDFS
- 4.6 Transparent binary on Application server storage (File storage)
- 4.7 Transparent binary on Blob storage (primary database)
SNP Storage Management Authorizations
To create or modify any storage, you need access to transaction /DVD/SM_SETUP.
SNP Storage Management provides you with complete control over individual actions. Authorizations can be turned on/off in the table /DVD/SM_AUTH_OBJ.
The authorization object used is /DVD/STOR. Its fields are:
STOR_ID: Restrict user access based on Storage ID.
STOR_TYPE: Restrict user access based on Storage type.
SM_ACTION: Restrict user actions.
Available actions:
SM_SETUP_EDIT: Allows the user to switch to edit mode.
DISPLAY_STORAGE: Allows the user to display storage settings (double-click on storage).
CREATE_STORAGE: Allows the user to create new storage.
EDIT_STORAGE: Allows the user to edit storage.
DELETE_STORAGE: Allows the user to delete storage.
EDIT_JCO: Allows the user to edit JCO settings.
Database storage
All the database storage requires is the setup of Common authorization objects, and also the specific authorizations (unless stated otherwise).
Common authorization objects for database storages
Authorization object S_RFC_ADM (not needed in Open SQL storages: MSSQL, DB2, SIQ, ORACLE).
Auth. field: Activity ACTVT: 03
Auth. field: Internet Communication Framework Values ICF_VALUE: -
Auth. field: Logical Destination (specified in Function Call) RFCDEST: JCO2_SERVER (name of RFC for your JCO)
Auth. field: Type of Entry in RFCDES RFCTYPE: -
Authorization object S_DEVELOP
Auth. field: Activity ACTVT: 40 (40 - Create in DB)
Auth. field: Package DEVCLASS: -
Auth. field: Object name OBJNAME: Z*, Y* (needed starting letter of tables according to customer’s naming conventions)
Auth. field: Object Type OBJTYPE: TABL
Auth. field: Authorization group ABAP/4 program P_GROUP: -
Authorization object S_GUI
Auth. field: Activity ACTVT: 61
MS Azure Synapse
Storage type: AZURE_SDSP
Authorization object /DVD/RL
Auth. field: Activity ACTVT: 16 (16 - Execute)
Snowflake
Storage type: SNOWFLAKE
Authorization object /DVD/RL
Auth. field: Activity ACTVT: 16 (16 - Execute)
Snowflake Snowpipe Streaming Storage (SNOWSTREAM)
Storage type: SNOWFLAKE
Authorization object /DVD/RL
Auth. field: Activity ACTVT: 16 (16 - Execute)
Authorization object S_DEVELOP
Auth field: Activity ACTVT: 01, 02, 03
Auth field: Package DEVCLASS: *
Auth field: Object name OBJNAME: Z*, Y* (needed starting letter of Views according to customer’s naming conventions)
Auth field: Object Type OBJTYPE: FUNC, PROG
Auth field: Authorization group ABAP/4 program P_GROUP: *
Google Big Query
Storage type: BIGQUERY
Authorization object S_DATASET
Auth. field: Activity ACTVT: 06, 33, 34 (this depends on DB operations: 06 - Delete, 33 - Read, 34 - Write, A6 - Read with filter, A7 - Write with filter)
Auth. field: Physical file name FILENAME: TMP*, /tmp/*
Auth. field: Program Name with Search Help PROGRAM: /DVD/SM_BIN_GCS_CONT_FTMP=====CP
Authorization object /DVD/RL
Auth. field: Activity ACTVT: 16 (16 - Execute)
Amazon Redshift
Storage type: REDSHIFT
Authorization object S_DATASET
Auth. field: Activity ACTVT: 06, 33, 34 (this depends on operations on DB: 06 - Delete, 33 - Read, 34 - Write, A6 - Read with filter, A7 - Write with filter)
Auth. field: Physical file name FILENAME: /tmp/*
Auth. field: Program Name with Search Help PROGRAM: /DVD/SM_BIN_AWSS3_CL_CONT_FTMPCP
Authorization object /DVD/RL
Auth. field: Activity ACTVT: 16 (16 - Execute)
Hive/Impala
Storage type: SM_TRS_MS
Authorization object S_RFC_ADM
Auth. field: Activity ACTVT: 03 (03 - display)
Auth. field: Internet Communication Framework Values ICF_VALUE: -
Auth. field: Logical Destination (specified in Function Call) RFCDEST: HADOOP_SKBTSCCK21_HTTPFS (HTTP RFC destination, this will be a value in /DVD/SM_SETUP → Hive configuration → Hadoop tab)
Auth. field: Type of Entry in RFCDES RFCTYPE: -
Authorization object S_LOG_COM
Auth. field: Logical command name COMMAND: ZDVD_MKDIR
Auth. field: Name of Current Application Server HOST: vsks035 (application server name)
Auth. field: Operating System of Application Server OPSYSTEM: Linux
Authorization object S_DATASET
Auth. field: Activity ACTVT: 33 (33 - Read)
Auth. field: Physical file name FILENAME: /usr/sap/NSQ/DVEBMGS32/work/dvd_conn/JCO (path to dvdjavaconnector.jar on application server)
Auth. field: Program Name with Search Help PROGRAM: /DVD/SAPLSAP_JAVA_UTIL
Authorization object /DVD/RL
Auth. field: Activity ACTVT: 16 (16 - Execute)
MSSQL, Oracle, HANA DB
Storage type: SM_TRS_MSSQL, SM_TRS_ORA, SM_TRS_HDB
Authorization object S_CTS_SADM
Auth. field: Administration Tasks for Change and Transport System CTS_ADMFCT: TABL
Auth. field: Logical system DESTSYS: NSQ (SAP system name)
Auth. field: TMS: Transport Domain DOMAIN: DOMAIN_NSD (value can be found in the transaction STMS → field Transp. Domain)
Authorization object S_CTS_ADMI
Auth. field: Administration Tasks for Change and Transport System CTS_ADMFCT: TABL
Authorization object S_DEVELOP
Auth field: Activity ACTVT: 40, 42 (40 - Create in DB, 42 - Convert to DB)
Auth field: Package DEVCLASS: -
Auth field: Object name OBJNAME: Z*, Y* (needed starting letter of Views according to customer’s naming conventions)
Auth field: Object Type OBJTYPE: VIEW
Auth field: Authorization group ABAP/4 program P_GROUP: -
SIQ
Storage type: SM_TRS_SIQ
Authorization object S_CTS_SADM
Auth. field: Administration Tasks for Change and Transport System CTS_ADMFCT: TABL
Auth. field: Logical system DESTSYS: NSQ (SAP system name)
Auth. field: TMS: Transport Domain DOMAIN: DOMAIN_NSD (value can be found in the transaction STMS → field Transp. Domain)
Authorization object S_CTS_ADMI
Auth. field: Administration Tasks for Change and Transport System CTS_ADMFCT: TABL
DB2
Storage type: SM_TRS_DB2
No additional authorizations are required.
File storage
All the file storage requires is the setup of Common authorization objects for file storage and storage-specific authorizations.
Common authorization objects for file storage
Authorization object S_RFC_ADM (not needed in Open SQL storages: MSSQL, DB2, SIQ, ORACLE)
Auth field: Activity ACTVT: 03
Auth field: Internet Communication Framework Values ICF_VALUE: -
Auth field: Logical Destination (specified in Function Call) RFCDEST: JCO2_SERVER (name of RFC for your JCO /DVD/JCO_MNG)
Auth field: Type of Entry in RFCDES RFCTYPE: -
Authorization object S_GUI
Auth field: Activity ACTVT: 61
MS Azure ADLS Gen 2 + Azure Blob
Storage type: ADLS_GEN2, AZURE_BLOB
No additional authorizations are required.
AWS S3
Storage type: AWS_S3
Authorization object S_DATASET
Auth. field: Activity ACTVT: 06, 33, 34 (this depends on operations on DB: 06 - Delete, 33 - Read, 34 - Write, A6 - Read with filter, A7 - Write with filter)
Auth. field: Physical file name FILENAME: /tmp/*
Auth. field: Program Name with Search Help PROGRAM: /DVD/SM_BIN_AWSS3_CL_CONT_FTMPCP
Authorization object /DVD/RL
Auth. field: Activity ACTVT: 16 (16 - Execute)
Google cloud storage
Storage type: GCS
Authorization object S_DATASET
Auth. field: Activity ACTVT: 06, 33, 34 (this depends on DB operations: 06 - Delete, 33 - Read, 34 - Write, A6 - Read with filter, A7 - Write with filter)
Auth. field: Physical file name FILENAME: *
Auth. field: Program Name with Search Help PROGRAM: /DVD/SM_BIN_GCS_CONT_FTMP=====CP
Authorization object /DVD/RL
Auth. field: Activity ACTVT: 16 (16 - Execute)
HDFS (Hadoop Distributed File Storage)
Storage type: HADOOP
Authorization object S_RFC_ADM
Auth. field: Activity ACTVT: 03 (03 - display)
Auth. field: Internet Communication Framework Values ICF_VALUE: -
Auth. field: Logical Destination (specified in Function Call) RFCDEST: HADOOP_SKBTSCCK21_HTTPFS (HTTP RFC destination, this will be a value in /DVD/SM_SETUP → Hive configuration → Hadoop tab)
Auth. field: Type of Entry in RFCDES RFCTYPE: -
Authorization object /DVD/RL
Auth. field: Activity ACTVT: 16 (16 - Execute)
Application server storage (File storage)
Storage type: BINFILE
Authorization object S_LOG_COM
Auth. field: Logical command name COMMAND: ZDVD_MKDIR, ZDVD_CHCKDIR, ZDVD_RMDIR
Auth. field: Name of Current Application Server HOST: vsks035 (application server name)
Auth. field: Operating System of Application Server OPSYSTEM: Linux
Authorization object S_DATASET
Auth. field: Activity ACTVT: 06, 33, 34 (this depends on DB operations: 06 - Delete, 33 - Read, 34 - Write, A6 - Read with filter, A7 - Write with filter)
Auth. field: Physical file name FILENAME: /tmp/*
Auth. field: Program Name with Search Help PROGRAM: /DVD/SM_CL_FILE_STORAGE=======CP, /DVD/SM_CL_FILE_CONTAINER=====CP
Blob storage (primary database)
Storage type: BLOB
Authorization object S_DEVELOP
Auth field: Activity ACTVT: 40
Auth field: Package DEVCLASS: *
Auth field: Object name OBJNAME: Z*, Y* (needed starting letter of tables according to customer’s naming conventions)
Auth field: Object Type OBJTYPE: TABL
Auth field: Authorization group ABAP/4 program P_GROUP: *
Snowflake internal stage
Storage type: BLOB
Authorization object /DVD/RL
Auth. field: Activity ACTVT: 16 (16 - Execute)
Transparent-binary storage
Transparent binary storage provides an additional logic to accomplish classic transparent RDB-like functionality for file storage.
The functionality is available for the following file storage:
MS Azure ADLS Gen 2, Azure Blob
AWS S3
Google Cloud Storage
HDFS
Files stored on a standard file system
Blob storage (primary database)
The storage requires authorizations from the common section, and individual file storage authorizations are described in separate sections.
Storage type: SM_TRS_BIN
Common authorization objects for transparent-binary storage
Authorization object S_RFC_ADM (not needed in Open SQL storages: MSSQL, DB2, SIQ, ORACLE)
Auth. field: Activity ACTVT: 03
Auth. field: Internet Communication Framework Values ICF_VALUE: -
Auth. field: Logical Destination (specified in Function Call) RFCDEST: JCO2_SERVER (name of RFC for your JCO /DVD/JCO_MNG)
Auth. field: Type of Entry in RFCDES RFCTYPE: -
Authorization object S_CTS_SADM
Auth. field: Administration Tasks for Change and Transport System CTS_ADMFCT: TABL
Auth. field: Logical system DESTSYS: NSQ (SAP system name)
Auth. field: TMS: Transport Domain DOMAIN: DOMAIN_NSD (value can be found in the transaction STMS → field Transp. Domain)
Authorization object S_CTS_ADMI
Auth. field: Administration Tasks for Change and Transport System CTS_ADMFCT: TABL
Authorization object S_GUI
Auth field: Activity ACTVT: 61
Transparent-binary on Azure ADLS Gen 2, Azure Blob
No additional authorizations are required.
Transparent-binary on AWS S3
Authorization object S_DATASET
Auth. field: Activity ACTVT: 06, 33, 34 (this depends on operations on DB: 06 - Delete, 33 - Read, 34 - Write, A6 - Read with filter, A7 - Write with filter)
Auth. field: Physical file name FILENAME: /tmp/*
Auth. field: Program Name with Search Help PROGRAM: /DVD/SM_BIN_AWSS3_CL_CONT_FTMPCP
Authorization object /DVD/RL
Auth. field: Activity ACTVT: 16 (16 - Execute)
Transparent binary on Google cloud storage
Authorization object S_DATASET
Auth. field: Activity ACTVT: 06, 33, 34 (this depends on DB operations: 06 - Delete, 33 - Read, 34 - Write, A6 - Read with filter, A7 - Write with filter)
Auth. field: Physical file name FILENAME: *
Auth. field: Program Name with Search Help PROGRAM: /DVD/SM_BIN_GCS_CONT_FTMP=====CP
Authorization object /DVD/RL
Auth. field: Activity ACTVT: 16 (16 - Execute)
Transparent-binary on Hadoop HDFS
Authorization object S_RFC_ADM
Auth. field: Activity ACTVT: 03 (03 - display)
Auth. field: Internet Communication Framework Values ICF_VALUE: -
Auth. field: Logical Destination (specified in Function Call) RFCDEST: HADOOP_SKBTSCCK21_HTTPFS (HTTP RFC destination, this will be a value in /DVD/SM_SETUP → Hive configuration → Hadoop tab)
Auth. field: Type of Entry in RFCDES RFCTYPE: -
Transparent binary on Application server storage (File storage)
Authorization object S_LOG_COM
Auth. field: Logical command name COMMAND: ZDVD_MKDIR, ZDVD_CHCKDIR, ZDVD_RMDIR
Auth. field: Name of Current Application Server HOST: vsks035 (application server name)
Auth. field: Operating System of Application Server OPSYSTEM: Linux
Authorization object S_DATASET
Auth. field: Activity ACTVT: 06, 33, 34 (this depends on DB operations: 06 - Delete, 33 - Read, 34 - Write, A6 - Read with filter, A7 - Write with filter)
Auth. field: Physical file name FILENAME: /tmp/*
Auth. field: Program Name with Search Help PROGRAM: /DVD/SM_CL_FILE_STORAGE=======CP, /DVD/SM_CL_FILE_CONTAINER=====CP
Transparent binary on Blob storage (primary database)
No additional authorizations are required.