Authorization roles(授权角色)¶
Summary¶
There are four types of roles used by the Palantir Foundry Connector 2.0 for SAP ("Connector").
- Service roles: These roles are required for the Connector to run. Do not modify these roles.
- /PALANTIR/SERVICE_SLT: Palantir Service Role for SLT
- /PALANTIR/SERVICE_SLT_740: Palantir Service Role for SAP_BASIS 7.4 (the technical component version, applicable to both SAP NetWeaver and SAP S/4HANA systems)
- /PALANTIR/SERVICE_USER: Palantir Service Role
- Content roles: These roles are required for data to be extracted from SAP systems. These roles can be copied and modified according to business requirements.
- /PALANTIR/CONTENT_BEX_ALL: BEx Access Roles
- /PALANTIR/CONTENT_DM_ALL: Data Model Access Role
- /PALANTIR/CONTENT_EXT_ALL: Extractor Content Access
- /PALANTIR/CONTENT_FUNCTION_ALL: Function Access Roles
- /PALANTIR/CONTENT_INFOPROV_ALL: InfoProvider Content Access
- /PALANTIR/CONTENT_SLT_ALL: SLT Access Roles
- /PALANTIR/CONTENT_TABLE_ALL: Table Content Access
- /PALANTIR/CONTENT_TCODE_ALL: Transaction Code Content Access
- /PALANTIR/CONTENT_HANAVIEW_ALL: HANA Information Views Content Access
- /PALANTIR/CONTENT_CDS_ALL: ABAP CDS Views Content Access
- Writeback roles: These roles are required if writeback to the SAP system from Foundry is enabled.
- /PALANTIR/OAUTH_CLIENT: Palantir Foundry OAuth 2.0 Client Role
- Monitoring and debugging roles: These roles are required to expose SAP system information to Foundry that enables remote monitoring.
- /PALANTIR/MONITORING: Monitoring
- /PALANTIR/DEBUG_USER: Debug User Access
Service roles¶
- /PALANTIR/SERVICE_USER: This is the basic role for a user to run the Connector Services. This role is checked for every request to the Connector. Authorization objects in this role are as follows:
- /PALAU/SRV: Palantir Service Authorization Object with 03 (Display) and 16 (Execute) activities.
- S_BTCH_JOB: (Background Processing: Operations on Background Jobs) The Connector runs background jobs (for example, paging or housekeeping operations); therefore, this authorization object is needed.
- S_TCODE: (Transaction Code Check at Transaction Start) This is only for SU53 and ST22 transactions (Authorization Check Tool and Runtime Errors in SAP), required for debugging and proper logging mechanism.
- S_RFC_ADM: (Administration for RFC Destination) This object is to 36 (check) and 39 (extended check) activities to establish whether RFC connection is live and authorization test checked.
- S_RFC: (Authorization Check for RFC Access) This object is to run remote function calls in SLT and remote agent scenarios with 16 (Execute) activities.
- /SDF/E2E: (Authorization for end-to-end diagnostic) This object is to run a trace from Foundry for the extraction process with 03 (Display) activities.
- S_ADMI_FCD: (System Authorizations) This object is to run checks and trace with PADM (Process administration using transactions SM04, SM50), ST0R (Analyze traces), ST22 (Cross-Client Dump Analysis).
- S_BTCH_JOB: (Background Processing: Operations on Background Jobs) This object is to run Connector extractions as background jobs with all activities except MODI (Modify Other User's Jobs).
- S_DATASET: (Authorization for file access) This object is to generate and access trace files by using SAT in SAP with 33 (Read), A6 (Read with filter), A7 (Write with filter) activities.
- S_TABU_NAM: (Table Access via Generic Standard Tools) This object is to access /PAL*, DMC*, IUUC* tables with 03 (Display) activity.
- S_TABU_DIS: (Table Maintenance (via standard tools such as SM30)) This object is to access tables with 03 (Display) activity.
The following roles are only required if you are connecting to an SAP Landscape Transformation Replication Server:
- /PALANTIR/SERVICE_SLT: This role is required to run SLT APIs. Authorization objects in this role are as follows:
- S_DMIS: (Authority object for SAP SLO Data migration server) This object is restricted to 03 (Display) activity to check the API endpoints and call them.
- /PALANTIR/SERVICE_SLT_740: If SAP SLT is running on SAP_BASIS 7.4+, additional authorization objects are required. These objects are as follows:
- S_DMC_S_R: (MWB: Reading / writing authorization in sender / receiver) This object is required to access SLT Queue for Foundry.
- S_BTCH_ADM: (Background Processing: Background Administrator) This object manages background jobs for the Connector on behalf of SAP SLT, such as replication object definitions, replication process objects, and starting replication to the SLT Queue.
- S_DMIS: (Authority object for SAP SLO Data migration server) This object is restricted to 03 (Display) activity to check the API endpoints and call them.
- S_DMIS_MOM: (Authorizations for MWB / Migration Object Modeler)
Content roles¶
These roles are included as examples. Adjust the content of the authorization profiles by copying these roles and restricting access to the desired objects in your system.
Roles for Connector¶
- /PALANTIR/CONTENT_TABLE_ALL: This role is required in order to extract data from database tables and views.
- /PALAU/TAB: Palantir Table Authorization Object: All Tables are allowed by default with a
*wildcard. - /PALANTIR/CONTENT_DM_ALL: This role is required in order to extract the data model from database tables.
- /PALAU/DMO: Palantir Datamodel Authorization Object: All tables allowed by default with a
*wildcard. - /PALANTIR/CONTENT_FUNCTION_ALL: This role is required in order to run RFC functions from SAP systems. Additional authorization may be required depending on the business function used.
- /PALAU/FUN: Palantir Function Authorization Object: All functions are allowed by default with a
*wildcard. - /PALANTIR/CONTENT_TCODE_ALL: This role is required in order to run transaction codes (ALV SE38 Report) from SAP systems. Additional authorization may be required depending on the business function used.
- /PALAU/TCO: Palantir Tcode Authorization Object: All tcodes are allowed by default with a
*wildcard. - /PALANTIR/CONTENT_HANANVIEW_ALL: This role is required in order to extract data from HANA Information Views
- /PALAU/HAN: Palantir HANA Authorization Object: All HANA Information Views are allowed by default with a
*wildcard. - /PALANTIR/CONTENT_CDS_ALL: This role is required in order to extract data from ABAP CDS Views
- /PALAU/CDS: Palantir CDS Authorization Object: All CDS Views are allowed by default with a
*wildcard.
The following roles are only required if you are connecting to an SAP Business Warehouse (BW) Server:
- /PALANTIR/CONTENT_BEX_ALL: This role is required in order to extract data from SAP BW (Business Warehouse) BEx queries.
- /PALAU/BEX: (Palantir BEx Authorization Object): All BEx queries are allowed by default with a
*wildcard. - /PALANTIR/CONTENT_EXT_ALL : This role is required in order to extract data from SAP BW (Business Warehouse) Extractors (ODP Enabled).
- /PALAU/EXT: Palantir Extractor Authorization Object: All ODP Enabled extractors are allowed by default with a
*wildcard. - /PALANTIR/CONTENT_INFOPROV_ALL: This role is required in order to extract data from SAP BW (Business Warehouse) InfoProviders.
- /PALAU/INF: Palantir InfoProvider Authorization Object: All InfoProviders are allowed by default with a
*wildcard. - S_RS_AUTH: BI Analysis Authorizations in Role: This is All Analysis authorizations in BW systems. Adjust accordingly.
- S_RS_COMP: Business Explorer - Components: This is all BEx objects authorizations in BW systems. Adjust accordingly.
- S_RS_COMP1: Business Explorer - Components: Enhancements to the Owner: This is all BEx objects authorizations in BW systems. Adjust accordingly.
The following roles are only required if you are connecting to an SAP Landscape Transformation (SLT) Replication Server:
- /PALANTIR/CONTENT_SLT_ALL This role is required in order to extract data from SLT Queues which are replicating tables from the connected system to SAP SLT.
- /PALAU/SLT: (Palantir SLT Authorization Object): All Tables are allowed by default with a
*wildcard.
Writeback roles¶
- /PALANTIR/OAUTH_CLIENT: This role is required when writeback is enabled to the SAP system from Foundry. It provides the required authorization objects for OAuth 2.0 configuration.
- S_SERVICE: Check at Start of External Services. These services are restricted with
/PALANTIR/*services. - S_OA2C_ADM: OAuth 2.0 Client Configuration
- S_OA2C_USE: OAuth 2.0 Client Use
- S_SCOPE: OAuth 2.0 Scope. This role is limited to the
/PALANTIR/SRV_0001scope, which is for Palantir Foundry Writeback using SAP Functions.
Roles for monitoring and debugging¶
- /PALANTIR/MONITORING: This role is required to enable remote monitoring of the SAP system via the Connector. It provides a wide range of system information such as Runtime Error Analysis (
ST22), SAP System Logs (SM21), SAP Background Job Monitoring (SM37), Authorization Analysis (SU53), Internet Communication Manager (ICM), System Resource Monitoring (ST02,ST06), SAP SLT Cockpit (LTRC), SAP SLT Operational Delta Queue Monitoring (ODQMON). - /PALANTIR/DEBUG_USER: This role is required for Palantir Support in case of an incident; developers may need to debug the issue in the SAP system. This role gathers all required authorization objects for the Connector development team.
Remote Agent roles¶
Remote agent roles are identical to the respective roles for the primary connector. These roles can be maintained in the remote system where the Connector Remote Agent is installed.
Roles for SAP_BASIS 7.0 and above¶
- /PALANTIR/CONTENT_RBEX_ALL: Remote BEx Content Access
- /PALANTIR/CONTENT_RFUNCT_ALL: Remote Function Content Access
- /PALANTIR/CONTENT_RTCODE_ALL: Remote Transaction Codes Content Access
- /PALANTIR/CONTENT_RINFOPRV_ALL: Remote InfoProvider Content Access
- /PALANTIR/CONTENT_RTABLE_ALL: Remote Table Content Access
- /PALANTIR/SERVICE_USER: Palantir Service Role
Roles for basis releases 46C, 620 or 640¶
- /PALAGT47/CONTENT_RTABLE_ALL: Remote Table Content Access
- /PALAGT47/SERVICE_USER: Palantir Service Role
中文翻译¶
授权角色¶
概述¶
Palantir Foundry Connector 2.0 for SAP(以下简称"连接器")使用四种类型的角色。
- 服务角色(Service roles): 连接器运行所必需的。请勿修改这些角色。
- /PALANTIR/SERVICE_SLT: Palantir SLT 服务角色
- /PALANTIR/SERVICE_SLT_740: Palantir SAP_BASIS 7.4 服务角色(技术组件版本,适用于 SAP NetWeaver 和 SAP S/4HANA 系统)
- /PALANTIR/SERVICE_USER: Palantir 服务角色
- 内容角色(Content roles): 从 SAP 系统提取数据所必需的。可根据业务需求复制和修改这些角色。
- /PALANTIR/CONTENT_BEX_ALL: BEx 访问角色
- /PALANTIR/CONTENT_DM_ALL: 数据模型访问角色
- /PALANTIR/CONTENT_EXT_ALL: 提取器内容访问角色
- /PALANTIR/CONTENT_FUNCTION_ALL: 功能访问角色
- /PALANTIR/CONTENT_INFOPROV_ALL: InfoProvider 内容访问角色
- /PALANTIR/CONTENT_SLT_ALL: SLT 访问角色
- /PALANTIR/CONTENT_TABLE_ALL: 表内容访问角色
- /PALANTIR/CONTENT_TCODE_ALL: 事务代码内容访问角色
- /PALANTIR/CONTENT_HANAVIEW_ALL: HANA 信息视图内容访问角色
- /PALANTIR/CONTENT_CDS_ALL: ABAP CDS 视图内容访问角色
- 回写角色(Writeback roles): 如果启用了从 Foundry 到 SAP 系统的回写功能,则需要这些角色。
- /PALANTIR/OAUTH_CLIENT: Palantir Foundry OAuth 2.0 客户端角色
- 监控与调试角色(Monitoring and debugging roles): 向 Foundry 公开 SAP 系统信息以实现远程监控所必需的。
- /PALANTIR/MONITORING: 监控角色
- /PALANTIR/DEBUG_USER: 调试用户访问角色
服务角色¶
- /PALANTIR/SERVICE_USER: 这是用户运行连接器服务的基本角色。对连接器的每个请求都会检查此角色。此角色中的授权对象如下:
- /PALAU/SRV: Palantir 服务授权对象,包含 03(显示)和 16(执行)活动。
- S_BTCH_JOB:(后台处理:后台作业操作)连接器会运行后台作业(例如,分页或维护操作);因此需要此授权对象。
- S_TCODE:(事务启动时的事务代码检查)仅用于 SU53 和 ST22 事务(SAP 中的授权检查工具和运行时错误),用于调试和正确的日志记录机制。
- S_RFC_ADM:(RFC 目标管理)此对象用于 36(检查)和 39(扩展检查)活动,以确定 RFC 连接是否存活并检查授权测试。
- S_RFC:(RFC 访问授权检查)此对象用于在 SLT 和远程代理场景中运行远程函数调用,包含 16(执行)活动。
- /SDF/E2E:(端到端诊断授权)此对象用于从 Foundry 对提取过程运行跟踪,包含 03(显示)活动。
- S_ADMI_FCD:(系统授权)此对象用于使用 PADM(使用事务 SM04、SM50 进行流程管理)、ST0R(分析跟踪)、ST22(跨客户端转储分析)运行检查和跟踪。
- S_BTCH_JOB:(后台处理:后台作业操作)此对象用于将连接器提取作为后台作业运行,包含除 MODI(修改其他用户的作业)之外的所有活动。
- S_DATASET:(文件访问授权)此对象用于通过在 SAP 中使用 SAT 生成和访问跟踪文件,包含 33(读取)、A6(带过滤器读取)、A7(带过滤器写入)活动。
- S_TABU_NAM:(通过通用标准工具访问表)此对象用于访问 /PAL*、DMC*、IUUC* 表,包含 03(显示)活动。
- S_TABU_DIS:(表维护(通过标准工具,如 SM30))此对象用于访问表,包含 03(显示)活动。
以下角色仅在连接到 SAP Landscape Transformation Replication Server 时需要:
- /PALANTIR/SERVICE_SLT: 此角色是运行 SLT API 所必需的。此角色中的授权对象如下:
- S_DMIS:(SAP SLO 数据迁移服务器的权限对象)此对象限制为 03(显示)活动,用于检查 API 端点并调用它们。
- /PALANTIR/SERVICE_SLT_740: 如果 SAP SLT 运行在 SAP_BASIS 7.4+ 上,则需要额外的授权对象。这些对象如下:
- S_DMC_S_R:(MWB:发送方/接收方的读/写授权)此对象是访问 Foundry 的 SLT 队列所必需的。
- S_BTCH_ADM:(后台处理:后台管理员)此对象代表 SAP SLT 管理连接器的后台作业,例如复制对象定义、复制过程对象以及启动到 SLT 队列的复制。
- S_DMIS:(SAP SLO 数据迁移服务器的权限对象)此对象限制为 03(显示)活动,用于检查 API 端点并调用它们。
- S_DMIS_MOM:(MWB / 迁移对象建模器的授权)
内容角色¶
这些角色作为示例提供。通过复制这些角色并将访问权限限制为您系统中的所需对象,来调整授权配置文件的内容。
连接器角色¶
- /PALANTIR/CONTENT_TABLE_ALL: 从数据库表和视图中提取数据需要此角色。
- /PALAU/TAB: Palantir 表授权对象:默认允许所有表,使用
*通配符。
- /PALAU/TAB: Palantir 表授权对象:默认允许所有表,使用
- /PALANTIR/CONTENT_DM_ALL: 从数据库表中提取数据模型需要此角色。
- /PALAU/DMO: Palantir 数据模型授权对象:默认允许所有表,使用
*通配符。
- /PALAU/DMO: Palantir 数据模型授权对象:默认允许所有表,使用
- /PALANTIR/CONTENT_FUNCTION_ALL: 从 SAP 系统运行 RFC 函数需要此角色。根据所使用的业务功能,可能需要额外的授权。
- /PALAU/FUN: Palantir 函数授权对象:默认允许所有函数,使用
*通配符。
- /PALAU/FUN: Palantir 函数授权对象:默认允许所有函数,使用
- /PALANTIR/CONTENT_TCODE_ALL: 从 SAP 系统运行事务代码(ALV SE38 报表)需要此角色。根据所使用的业务功能,可能需要额外的授权。
- /PALAU/TCO: Palantir 事务代码授权对象:默认允许所有事务代码,使用
*通配符。
- /PALAU/TCO: Palantir 事务代码授权对象:默认允许所有事务代码,使用
- /PALANTIR/CONTENT_HANANVIEW_ALL: 从 HANA 信息视图中提取数据需要此角色。
- /PALAU/HAN: Palantir HANA 授权对象:默认允许所有 HANA 信息视图,使用
*通配符。
- /PALAU/HAN: Palantir HANA 授权对象:默认允许所有 HANA 信息视图,使用
- /PALANTIR/CONTENT_CDS_ALL: 从 ABAP CDS 视图中提取数据需要此角色。
- /PALAU/CDS: Palantir CDS 授权对象:默认允许所有 CDS 视图,使用
*通配符。
- /PALAU/CDS: Palantir CDS 授权对象:默认允许所有 CDS 视图,使用
以下角色仅在连接到 SAP Business Warehouse (BW) 服务器时需要:
- /PALANTIR/CONTENT_BEX_ALL: 从 SAP BW(业务仓库)BEx 查询中提取数据需要此角色。
- /PALAU/BEX:(Palantir BEx 授权对象):默认允许所有 BEx 查询,使用
*通配符。
- /PALAU/BEX:(Palantir BEx 授权对象):默认允许所有 BEx 查询,使用
- /PALANTIR/CONTENT_EXT_ALL: 从 SAP BW(业务仓库)提取器(已启用 ODP)中提取数据需要此角色。
- /PALAU/EXT: Palantir 提取器授权对象:默认允许所有已启用 ODP 的提取器,使用
*通配符。
- /PALAU/EXT: Palantir 提取器授权对象:默认允许所有已启用 ODP 的提取器,使用
- /PALANTIR/CONTENT_INFOPROV_ALL: 从 SAP BW(业务仓库)InfoProvider 中提取数据需要此角色。
- /PALAU/INF: Palantir InfoProvider 授权对象:默认允许所有 InfoProvider,使用
*通配符。 - S_RS_AUTH: 角色中的 BI 分析授权:这是 BW 系统中的所有分析授权。请相应调整。
- S_RS_COMP: Business Explorer - 组件:这是 BW 系统中所有 BEx 对象的授权。请相应调整。
- S_RS_COMP1: Business Explorer - 组件:对所有者的增强:这是 BW 系统中所有 BEx 对象的授权。请相应调整。
- /PALAU/INF: Palantir InfoProvider 授权对象:默认允许所有 InfoProvider,使用
以下角色仅在连接到 SAP Landscape Transformation (SLT) 复制服务器时需要:
- /PALANTIR/CONTENT_SLT_ALL: 从正在将已连接系统的表复制到 SAP SLT 的 SLT 队列中提取数据需要此角色。
- /PALAU/SLT:(Palantir SLT 授权对象):默认允许所有表,使用
*通配符。
- /PALAU/SLT:(Palantir SLT 授权对象):默认允许所有表,使用
回写角色¶
- /PALANTIR/OAUTH_CLIENT: 当从 Foundry 启用到 SAP 系统的回写功能时,需要此角色。它为 OAuth 2.0 配置提供了所需的授权对象。
- S_SERVICE: 在外部服务启动时检查。这些服务限制为
/PALANTIR/*服务。 - S_OA2C_ADM: OAuth 2.0 客户端配置
- S_OA2C_USE: OAuth 2.0 客户端使用
- S_SCOPE: OAuth 2.0 范围。此角色限制为
/PALANTIR/SRV_0001范围,该范围用于使用 SAP 函数的 Palantir Foundry 回写。
- S_SERVICE: 在外部服务启动时检查。这些服务限制为
监控与调试角色¶
- /PALANTIR/MONITORING: 此角色用于通过连接器启用对 SAP 系统的远程监控。它提供广泛的系统信息,例如运行时错误分析(
ST22)、SAP 系统日志(SM21)、SAP 后台作业监控(SM37)、授权分析(SU53)、互联网通信管理器(ICM)、系统资源监控(ST02、ST06)、SAP SLT 驾驶舱(LTRC)、SAP SLT 操作增量队列监控(ODQMON)。 - /PALANTIR/DEBUG_USER: 当发生事件时,Palantir 支持需要此角色;开发人员可能需要在 SAP 系统中调试问题。此角色收集了连接器开发团队所需的所有授权对象。
远程代理角色¶
远程代理角色与主连接器的相应角色相同。这些角色可以在安装了连接器远程代理的远程系统中进行维护。
SAP_BASIS 7.0 及以上版本的角色¶
- /PALANTIR/CONTENT_RBEX_ALL: 远程 BEx 内容访问
- /PALANTIR/CONTENT_RFUNCT_ALL: 远程函数内容访问
- /PALANTIR/CONTENT_RTCODE_ALL: 远程事务代码内容访问
- /PALANTIR/CONTENT_RINFOPRV_ALL: 远程 InfoProvider 内容访问
- /PALANTIR/CONTENT_RTABLE_ALL: 远程表内容访问
- /PALANTIR/SERVICE_USER: Palantir 服务角色
基础版本 46C、620 或 640 的角色¶
- /PALAGT47/CONTENT_RTABLE_ALL: 远程表内容访问
- /PALAGT47/SERVICE_USER: Palantir 服务角色