SAP User Role CELONIS_EXTRACTION in Detail
The following describes in detail what the role contains and why the authorizations are necessary along with customisation options
Cross-application Authorization Objects
Authorization Check for RFC Access - So the Extractor can remotely access the functions in the RFC module
Object | Field | Activities/Values |
|---|---|---|
S_RFC | ACTVT | 16 |
S_RFC | RFC_NAME | /CELONIS/46C_EXTRACTION, /CELONIS/CL_EXTRACTION, /CELONIS/EXTRACTION, RFC1, SDIFRUNTIME, SDTX, SRFC, SYST, SYSU |
S_RFC | RFC_TYPE | FUGR |
Basis: Administration
Background Processing: Operations on Background Jobs - So the RFC module can immediately run the extractions as background jobs
Object | Field | Activities/Values |
|---|---|---|
S_BTCH_JOB | JOBACTION | RELE |
S_BTCH_JOB | JOBGROUP | * |
Administration Functions in Change and Transport System - So the RFC module can list directory contents
No longer necessary in RFC Module versions >= 1.8.0
Object | Field | Activities/Values |
|---|---|---|
S_CTS_ADMI | CTS_ADMFCT | EPS1 |
Authorization for file access - So the RFC module can write, read, and delete files in the physical path defined for the logical path 'Z_CELONIS_TARGET'
Object | Field | Activities/Values |
|---|---|---|
S_DATASET | ACTVT | 06, 33, 34 |
S_DATASET | FILENAME | * |
S_DATASET | PROGRAM | /CELONIS/* |
Note
You can replace the '*' in 'FILENAME' with the physical path you have chosen for Z_CELONIS_TARGET, e.g. /<YOUR_PATH>/*
Authorization to Execute Logical Operating System Commands - So the RFC module can compress data it extracts
Object | Field | Activities/Values |
|---|---|---|
S_LOG_COM | COMMAND | Z_CELO_GZIP, Z_CELO_SAPCAR |
S_LOG_COM | HOST | * |
S_LOG_COM | OPSYSTEM | * |
Note
Unnecessary if using 'Uncompressed' or 'Native SAP Compression' in the EMS Data Connection
Table Maintenance (via standard tools such as SM30) - So the RFC module can extract data from tables
Object | Field | Activities/Values |
|---|---|---|
S_TABU_DIS | ACTVT | 03 |
S_TABU_DIS | DICBERCLS | * |
Note
You can replace the '*' in 'DICBERCLS' with the authorisation group of tables you will be extracting.
Alternatively, If you need to control access to individual tables instead to groups of tables, you can use authorisation object S_TABU_NAM.
Important: When using the Real-Time Extractor, the Changelog tables (ZCL...) should also be whitelisted.