Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

CDC authorization objects and roles on Solution Manager

Authorization Objects 

Several authorization objects control the access to the different features of the Cross Database Comparison.

To access and work with the Comparison Object the following authorizations are needed:

  • Authorization object SM_CDC_OBJ, activities
    • 01 – Create
    • 02 – Change
    • 03 – Display
    • 06 – Delete
    • 07 – Activate/Generate (= generate extractor coding)
    • 36 – Extended Maintenance (= create comparison instances for a comparison object)

To access and work with the Comparison Instance the following authorizations are needed:

  • Authorization object SM_CDC_INS, activities
    • 01 – Create
    • 02 – Change
    • 03 – Display
    • 06 – Delete
    • 16 – Execute (= run the data comparison)
    • 35 – Output (= display the results of a comparison run)
    • 65 – Re-Organize (= delete the results of a comparison run)

To trigger the Extractor Function Module Generation in the managed system

  • Authorization object SM_CDC_OBJ, activity 
    • 07 – Activate, Generate

Extraction from remote database (ADBC connection)

  • Authorization Object S_DBCON, activity
    • 71 – Analyze

In addition to the above, the access to a particular type of source system (SAP, Non-SAP) could also be limited with the use of authorization fields CDC_S_TYPE & CDC_CONN (ADBC connection or RFC-connection).

Roles

With Solution Manager 7.1 SP10 you can use preconfigured roles in order to establish a better segregation of duties. The typical CDC tasks are split up to different user roles:

  • Development: The object modeler role SAP_CDC_OBJECT_MODELER can create/change/delete comparison objects to perform the modeling and generation, but is not allowed to create a comparison instance of it.
  • Administration: The instance creator role SAP_CDC_INSTANCE_CREATOR can display and use comparison object in order to create/change/delete comparison instances, but cannot change the comparison object model.
  • Scheduling: The instance executer role SAP_CDC_INSTANCE_EXECUTER can execute and reorganize the comparison run, but can neither output the result nor change the comparison objects and instances.
  • Result Analysis: The instance analyzer role SAP_CDC_INSTANCE_ANALYSER can output the result (business data), but cannot execute the run himself, nor change the comparison object and instances.

CDC authorizations in managed systems

Authorizations needed in the managed system depend on the used source types.

For source type ABAP - SAP ABAP System (using RFC to generated extractor), the following authorizations are needed to generate extractor function modules in the managed system:

  • Authorization object S_DEVELOP, activities 
    • 01 – Create
    • 02 – Change
    • 03 – Display
    • 06 – Delete
    • 07 – Activate/Generate
    • 16 – Execute
  • Authorization object S_RFCACL, activities 
    • 16 – Execute
  • Authorization object – S_RFC, activities 
    • 16 – Execute

For source types ABAP - SAP ABAP System (using RFC to generated extractor) and ABDY- SAP ABAP System (using RFC to generic extractor), to execute comparison runs the following general authorizations are needed to secure the access to the needed tables:

  • Authorization object S_TABU_DIS 
  • Authorization object S_RFC
  • Authorization object S_TCODE

The requried authorizations are contained in role SAP_CDC_DATA_READER. 

For source type BIQY - Business Intelligence (MDX Query), the authorization to execute the following function modules is needed:

For data model creation (design time):

  • BAPI_CUBE_GETLIST
  • BAPI_MDPROVIDER_GET_DIMENSIONS
  • BAPI_MDPROVIDER_GET_MEASURES

To run comparisons: 

  • RSR_MDX_BXML_GET_INFO
  • RSR_MDX_BXML_GET_DATA

Whitelist to access files on an application server of the Solution Manager

If you want to compare data stored in files on an application server of the Solution Manager, for security reasons it is required that you define from where the CDC application is allowed to read data.

CDC is using the logical file name CDC_DATA_FILE defined in transaction FILE. This logical file name is shipped and refers to the logical file path CDC_FILE_PATH:

The logical path CDC_FILE_PATH is also shipped, but not yet assigned to physical paths. Assign one or more physical paths from where the CDC application is allowed to read data.

Procedure

  1. Start transaction FILE to maintain logical file path definitions.
  2. Mark logical file path “CDC_FILE_PATH” and choose Assignment of Physical Paths to Logical Path in the dialog structure.
  3. Enter one or multiple physical paths from where the DC application is allowed to read data.

The example above shows the assignment of the physical path “/tmp” for a Unix compatible system. The physical path names must contain the placeholder “<FILENAME>”. Please note that there might be a different syntax for other systems like “\tmp\<FILENAME>” for Windows systems. The assignment means that the CDC application is allowed to read files stored in the “/tmp” path of application servers of the Solution Manager. If you are trying to compare files from other physical paths, the CDC application will run into error “Validation of file path and name failed” (DSWP_CDC822). It is also possible to assign further physical paths.

Please refer to the documentation of transaction FILE for more information about logical file and path name definition and the assignment of physical paths.

  • No labels