Question:
Can anyone help me to set up the CPIC user as described below. We're using SAP 4.6C
Development server - should allow a CPIC user to create and execute reports. They should only be able to create and execute reports that begin with ZCPIC*. Can this be done?
Production server - should allow a CPIC user to execute existing reports that begin with ZCPIC*. They should NOT be able to create anything new in production. Is that possible?
Thanks in advance
Bob
Answer:
...just ask those pesky abapers to behave. That should work
Answer:
Well said! There are very few substitutes for that.
PS: Is the ABAP installed from an RFC desination outside of the transport chains and then run in DEV?
Tarr
Answer:
i would also know to like how should we restrict cpic user for execution only
Answer:
Well said! There are very few substitutes for that.
PS: Is the ABAP installed from an RFC desination outside of the transport chains and then run in DEV?
Tarr
Thanks for the reply. The ABAP is created in an ETL tool and this loads the program into SAP Dev using a CPIC logon account. We'll then manually transport the programs from DEV to QA to PROD. When the programs are in QA or PRD we need to stop the ETL developers from making any changes via the CPIC user. So what I need to know is can we restrict the access of the CPIC user to execute only in the QA and PRD environments.
Phew, I need a lie down after that one
Thanks
Bob
Answer:
...just ask those pesky abapers to behave. That should work
If only it were so simple. They're not Abap programmers they're ETL developers!
Bob
Answer:
You should not be using this function Bob...
You can restrict via the auths of the CPIC user (which you should not be using either) and use a different FM in QA and PROD (i.e. a different program or path taken by the program when it discovers that it is running in QA / PROD and not in DEV).
Tarr
Answer:
You should not be using this function Bob...
Unfortunately, it is required by the ETL tool (Datastage). It has been designed to use a "communication" type user when it talks to SAP.
You can restrict via the auths of the CPIC user (which you should not be using either) and use a different FM in QA and PROD (i.e. a different program or path taken by the program when it discovers that it is running in QA / PROD and not in DEV).
Datastage has an inbuilt scheduler and it will control when the ABAP programs are executed. Therefore we need to restrict the CPIC user to read only in QA and PRD. I can't find any roles that allow me to restrict the CPIC user. This is very worrying
Bob
Answer:
If the ETL tool (Datastage) has installed a function module in Development to "create" programs , there is No control you can put on any ID to stop the creation of reports in DEV, QAS, or PRD regardless of the system setting unless the ETL tool provides the security. If ETL tool (Datastage) is using RFC_ABAP_INSTALL_AND_RUN to ceate the programs then yes you can control the creation of the reports on the CPIC id and the system.
But frankly if a tool is creating programs externally and installing them in SAP I would find another tool.
Also the tool does NOT need a CPIC id, Any ID can be used in an RFC destination. The problem is with leaving it hang arround for someone to use in dialog mode unless you force them to enter the password.
Answer:
Maybe the tool has itīs own function module installed into R/3 to get the install and run feature going for integration? Maybe this function is (erroneously) checking that the user type is "communication".
Hey Bob, are the reports generated and submitted by the loaded programs or are they creating jobs too?
Tarr
Answer:
Thanks for the reply John.
If the ETL tool (Datastage) has installed a function module in Development to "create" programs , there is No control you can put on any ID to stop the creation of reports in DEV, QAS, or PRD regardless of the system setting...
A function module was installed on our SAP development box as part of the install process.
But frankly if a tool is creating programs externally and installing them in SAP I would find another tool. ...
If only I were so important Unfortunately the decision to use Datastage came from high above and the project is too far down the line to change now.
Also the tool does NOT need a CPIC id, Any ID can be used in an RFC destination. The problem is with leaving it hang arround for someone to use in dialog mode unless you force them to enter the password.
Datastage uses CPIC as the preferred protocol when extracting data and it does require a CPIC user to do this.
I've come to the conclusion that we'll have to amend the function module to check the system ID before allowing programs to be uploaded.
Thanks Bob
Answer:
Thanks for the reply Tarr.
Maybe the tool has itīs own function module installed into R/3 to get the install and run feature going for integration?
You're right! It does have its own function module on SAP.
Hey Bob, are the reports generated and submitted by the loaded programs or are they creating jobs too?
Tarr
The programs are generated and loaded into SAP by Datastage. There are no SAP jobs created, just programs. Jobs are created and scheduled in Datastage and these execute on the Datastage server not on SAP.
I've just replied to John (above) and think that they only way to get control of the process is to change the SAP function module to check the system ID and only allow uploads on the development box.
Cheers Bob