on 10-27-2014 10:20 AM
Hi,
Please let me know how we can limit access to certain set of people to run only specific jobs and have only view access
(Non SAPp Jobs ) via CPS
We have separate team which manages non-SAP jobs (NT/Database jobs) , and
they have access to create/edit/force run/modify jobs as well as process
server which admin can do.
So we want to restrict these users and assign the roles in which they can have
only read access to jobs , logs , process servers and force run of job as
separate role .
Regards,
Shwetha Houde
You have to group the job definitions into partitions and then create roles based on the partitions.
Create the role in CPS, then create a role of same name in NetWeaver UME, add the required actions to the role, assign the netweaver role to the user.
Thanks
Nanda
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Nanda for the quick reply, But in my CPS system, I have only one PARTITION - GLOBAL .
to which ALL jobs (SAP & Non SAP) have been assigned . Is it possible to set role authorization to GLOBAL Partition ?
If not, then how can we create New Partition and assign the jobs to it for role authorization.
Regards,
Shwetha Houde
Hi Shwetha Houde,
You control what a user can do with a job by specifying privileges on the job definition, queue, and process server of the job.
For example, you could allow role1 to submit SAP job definition SAP_AbapRun on SAP System PR1 by giving the following privileges:
|Object Type|Object|Privielege
|Job Definition|GLOBAL.SAP_AbapRun|Submit
|Process Server|GLOBAL.PR1_ProcessServer|View
|Queue|GLOBAL.PR1_Queue|JobAdministrator
You could allow role2 to view SAP jobs of job definition SAP_AbapRun on SAP System PR1 by giving the following privileges:
|Object Type|Object|Privielege
|Job Definition|GLOBAL.SAP_AbapRun|ViewJobs
|Process Server|GLOBAL.PR1_ProcessServer|View
|Queue|GLOBAL.PR1_Queue|View
If you had divided your environments into separate partitions, you could simply grant these privileges on all corresponding objects of a partition on the role-level. Here, with one partition, you must navigate to each object and grant them specifically.
You can script it as well, from the documentation:
Granting Submit privileges on the job definition ProcessPartnerFile to user jdoe.
{
//Get the job definition and user
JobDefinition jDefinition = jcsSession.getJobDefinitionByName("ProcessPartnerFile");
Subject subject = jcsSession.getSubjectByTypeName(SubjectType.User,"jdoe");
//Create an empty grant
SubjectObjectPrivilegeGrant sopgrant = jDefinition.createSubjectObjectPrivilegeGrant();
//Set the grantee and the rank
sopgrant.setGranteeSubject(subject);
sopgrant.setGrantedRank(sopgrant.getAllRanks()[3]);
//Save the changes to the database
jcsSession.persist();
}
Message was edited by: h. Carpenter - Added the view jobs privileges.
Hello - We have a similar situation - any help is appreciated.
We have created a Partition called BODS with a BODS_Queue. We need to give access to this
Partition and Queue to a group of users that will be creating and running BODS jobs here only.
They cannot have any access to the GLOBAL Partition where we run all other SAP Jobs.
Should a new Role be created in UME?
SAP CPS version is M33.110-76019
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
82 | |
10 | |
10 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.