cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Limited access in CPS

Go to solution
Former Member

on ‎10-27-2014 10:20 AM

0 Kudos

Hi,

Please let me know how we can limit access to certain set of people to run only specific jobs and have only view access

(Non SAPp Jobs ) via CPS

We have separate team which manages non-SAP jobs (NT/Database jobs) , and

they have access to create/edit/force run/modify jobs as well as process

server which admin can do.

So we want to restrict these users and assign the roles in which they can have

only read access to jobs , logs , process servers and force run of job as

separate role .

Regards,

Shwetha Houde

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

nanda_kumar21
Active Contributor
‎10-27-2014 4:42 PM
0 Kudos

You have to group the job definitions into partitions and then create roles based on the partitions.

Create the role in CPS, then create a role of same name in NetWeaver UME, add the required actions to the role, assign the netweaver role to the user.

Thanks

Nanda

Show replies
Show replies
Former Member
‎10-28-2014 5:44 AM
0 Kudos

Thanks Nanda for the quick reply, But in my CPS system, I have only one PARTITION - GLOBAL .

to which ALL jobs (SAP & Non SAP) have been assigned . Is it possible to set role authorization to GLOBAL Partition ?

If not, then how can we create New Partition and assign the jobs to it for role authorization.

Regards,

Shwetha Houde

nanda_kumar21
Active Contributor
‎10-28-2014 6:02 AM
0 Kudos

yes, you can.

But remember, they can see all the jobs/events/jobchains  - all the objects within the global parition.

Thanks

Nanda

Former Member
‎10-28-2014 6:14 AM
0 Kudos

That's ok if the jobs/events/job chains are visible but they shouldn't  be able to Cancel / edit jobs only view option and force run . 

Regards,

Shwetha Houde

h_carpenter
Active Contributor
‎10-28-2014 4:18 PM
0 Kudos

Hi Shwetha Houde,

You control what a user can do with a job by specifying privileges on the job definition, queue, and process server of the job.

For example, you could allow role1 to submit SAP job definition SAP_AbapRun on SAP System PR1 by giving the following privileges:

|Object Type|Object|Privielege

|Job Definition|GLOBAL.SAP_AbapRun|Submit

|Process Server|GLOBAL.PR1_ProcessServer|View

|Queue|GLOBAL.PR1_Queue|JobAdministrator

You could allow role2 to view SAP jobs of job definition SAP_AbapRun on SAP System PR1 by giving the following privileges:

|Object Type|Object|Privielege

|Job Definition|GLOBAL.SAP_AbapRun|ViewJobs

|Process Server|GLOBAL.PR1_ProcessServer|View

|Queue|GLOBAL.PR1_Queue|View

If you had divided your environments into separate partitions, you could simply grant these privileges on all corresponding objects of a partition on the role-level. Here, with one partition, you must navigate to each object and grant them specifically.

You can script it as well, from the documentation:

Granting Submit privileges on the job definition ProcessPartnerFile to user jdoe.

{

//Get the job definition and user

JobDefinition jDefinition = jcsSession.getJobDefinitionByName("ProcessPartnerFile");

Subject subject = jcsSession.getSubjectByTypeName(SubjectType.User,"jdoe");

//Create an empty grant

SubjectObjectPrivilegeGrant sopgrant = jDefinition.createSubjectObjectPrivilegeGrant();

//Set the grantee and the rank

sopgrant.setGranteeSubject(subject);

sopgrant.setGrantedRank(sopgrant.getAllRanks()[3]);

//Save the changes to the database

jcsSession.persist();

}

Message was edited by: h. Carpenter - Added the view jobs privileges.

Answers (1)

Answers (1)

former_member347453
Explorer
‎01-13-2015 4:47 PM
0 Kudos

Hello - We have a similar situation - any help is appreciated.

We have created a Partition called BODS with  a BODS_Queue.  We need to give access to this

Partition and Queue to a group of users that will be creating and running BODS jobs here only.

They cannot have any access to the GLOBAL Partition where we run all other SAP Jobs.

Should a new Role be created in UME? 

SAP CPS version is M33.110-76019


Show replies
Show replies
nanda_kumar21
Active Contributor
‎01-13-2015 8:10 PM
0 Kudos

Yes.

  1. Create a role in Java UME.
  2. Create a view only role for the partition from the context menu and provide the same name as UME.
  3. Edit the CPS role and provide access to create job definitions and other privileges on other objects of BODS partition as you wish.

thanks

Nanda

Ask a Question