Skip to end of metadata
Go to start of metadata

Purpose

The purpose of this wiki is to explain how to set granular level rights for a user in Central Management Console for various access levels into Data Services Application.

Overview

Data Services installation creates a few pre-defined groups such as Data Services Administrator usergroup, monitor usergroup, operator usergroup with pre-defined set of rights. The details on the pre-defined groups can be found in attached Knowledge Base Article 1601652. However if the rights set by the pre-defined groups does not fit access related requirements in your organization you can set rights for users or groups at granular level to grant or deny specific rights. You can also create a custom access level with required rights. This wiki doesn't user any pre-defined access levels and walks you through setting rights at granular level for a user for performing various tasks.

Rights for accessing Data Services Management Console

  1. Create a user ‘testuser’ in CMC.
  2. Logon to Management Console as ‘testuser’, you can logon because Everyone usergroup has view access on Data Services Application. But all options are grayed out and you get error: 

    No Repository found. Please contact Administrator to register the repository in the Central Management Console.

  3. To get pass the above error 'testuser' needs at least 'view' rights on one or more repositories. in CMC > Data Services > Right click on Data Services and select user security to grant rights on all associated resitories or right click on a specific repository and select user security to grant view rights on that specific repository.

  4. Select through Add Principal > Select ‘testuser’ > Add and Assign Security > Inherit from Parent Folder and Inherit From parent Group should be checked by default > Select View Access level and click ok. If the user will also schedule jobs then along with View a minimum of Edit Objects granular right set granted is needed.

To restrict access to DataServices management console for a user

  1. In CMC > Applications > Data Services Application > User Security > Add Principal > Select ‘testuser’ > Add and Assign Security > Inherit from Parent Folder and Inherit From parent Group should be checked by default > Click Remove Access
  2. Logon to Management Console as ‘testuser’. You get error:  Access denied to Data Services application. (BODI-3011017)

To allow user to see Administrator Page in Management Console

  1. In CMC > Applications > Data Services Application > User Security > Add Principal > Select ‘testuser’ > Add and Assign Security > Inherit from Parent Folder and Inherit From parent Group should be checked by default > Advanced Tab > Add/Remove Rights > Grant Access to Administrator.
  2. Logon to Management Console as ‘testuser’ > Administrator page is available > All other grayed out and you get same error as in 2.

To allow user to see the batch job history\ status only

  1. In CMC > Applications > Data Services Application > User Security > select ‘testuser’ > Assign Security > Advanced Tab > Add/Remove Rights > Grant View batch job history
                                               
  2. In CMC > Data Services > User Security > Grant View Access to ‘testuser’.
  3. Logon to Management Console as ‘testuser’ and you can search and view old job instances and job logs.

To allow user to execute or schedule the batch job 

  1. This requires ‘Manage batch job history’ right on Data services application since executing job requires modification to history.
  2. This requires Edit Objects right along with View Access to the repository object in CMC.
  3. This also requires View server group information right on the Data Services application otherwise the following error is thrown when executing or scheduling the job: [The user testuser does not have rights to view server group or Job Server information.]
  4. Assuming viewing batch job status is also granted along with execute\schedule.
  5. In CMC > Applications > Data Services Application > User Security > select ‘testuser’ > Assign Security > Advanced Tab > Add/Remove Rights : Rights granted are as follows:
  6. In CMC > Data Services > User Security > select ‘testuser’ > Assign Security > Advanced Tab > Add/Remove Rights > Grant Edit Objects Right in General Section.

  7. Logon to Management Console as ‘testuser’ and you can execute batch jobs, schedule jobs.

To allow user Designer Level access

In CMC > Applications > Data Services Application > User Security > select ‘testuser’ > Assign Security > Advanced Tab > Add/Remove Rights > Grant Access to Designer right. The user will need rights described in 6 in order to run jobs from Designer. 

Other Access

Other available rights for Data Services Management Application in CMC > Applications > Data Services Application > User Security > select ‘testuser’ > Assign Security > Advanced Tab > Add/Remove Rights - Access Server Configuration, Real-Time services,  adapters, web services, RFC.

To be able to see Administrator > Management section the easiest way would be to add the user to Administrators usergroup.

Scheduling to BOE

The BOE scheduler entry in CMC > Folders > is owned by the user specified in Management Console > Administrator > Management > CMS Connection. So ‘testuser’ may not need extra rights to view DataServices folder in CMC. If ‘testuser’ would logon to CMC to check the status of job from there, then it would need View rights to that folder. 

Related Content

Related SAP Notes/KBAs

SAP KBA: 1601652 What are the pre-defined Data Services groups

  • No labels