Data Services user and rights management – step by step instructions
Data Services uses the Central Management Server (CMS) for user and rights management. In a stand-alone DS environment, the same functionality is supplied by the Information Platform Services (IPS). Setting up user security is a rather cumbersome process. The procedure for granting access to a DS developer consists of four steps:
- Create the user
- Grant access to the DS Designer application
- Grant access to one or more (or all) repositories
- Allow automatic retrieving of the DS repository password from the CMS
1. Creating the user
By default, the DS installation program does not create any user accounts. Use the “Users and Groups” management area of the CMC to create users.
Figure 1: User List
Right click on the “User List” entry, select New > “New User” and specify the required details.
Figure 2: Create New User
Select the “Create & Close” button to finalize this step.
2. Granting access to DS Designer
User name and password are entered in the DS Designer Repository Logon window.
Figure 3: DS Repository logon
2.1. User management
Unfortunately, the newly created user only has a limited number of access rights by default. More specifically, authorization to run DS
Designer is not granted automatically.
When trying to start the application with this user and password, access is denied:
Figure 4: Access Denied
Access can be granted to an individual user in the Applications area of the CMC. Right-click “Data Services Application” and select “User Security”.
Figure 5: Applications area in CMC
Select the “Add Principals” button:
Figure 6: User security
Select the user from the “User List” in the “Available users/groups” panel and select the “>” button to move it to the “Selected users/groups” panel.
Figure 7: Add Principals
Select the Advanced tab and then the “Add/Remove Rights” link.
Figure 8: Assign Security
Grant access to Designer and select OK.
Figure 9: Add/remove Rights
2.2. Group management
As mentioned above, the DS installation program does not create any default user accounts. But it does create several default group accounts. One of these groups is called “Data Services Designer”. Members of this group automatically have access to the DS Designer.
After creating a new user, assign it to this group account. That will grant the user with access to DS Designer, the same result as with
the explicit user-level grant, but achieved in a much simpler way.
Return to the “Users and Groups” management area of the CMC. Right-click on the user and select “Join Group”.
Figure 10: Users and Groups
Select the group from the “Group List” in the “Available groups” panel and select the “>” button to move it to the “Destination Group(s)” panel and hit OK.
Figure 11: Join Group
3. Granting access to the repositories
When an authorized user connects to the DS Designer application, following error message is displayed:
Figure 12: No repositories are associated with the user
That is because a user in the “Data Services Designer Users” group has no default access to any of the DS repositories:
Figure 13: Access control list: No access by default
If a user needs access to a given repository, that access has to be explicitly granted to him.
Navigate to the “Data Services” area in the CMC. Right-click on the name of the repository and select “User Security”.
Figure 14: Data Services
The “User Security” dialog box appears and displays the access control list for the repository. The access control list specifies the users and groups that are granted or denied rights to the repository.
Figure 15: User Security
Select the “Add Principals” button. Then select the users or groups from the “User List” or “Group List” respectively in the “Available users/groups” panel and select the “>” button to move it to the “Selected users/groups” panel. Finally, select “Add and Assign Security”.
Figure 16: Add principals
Select the access level to be granted to the user or group:
- To grant read-only access to the repository, select “View”.
- To grant full read and write access to the repository, select “Full Control”.
- To deny all access to the repository, select “No Access”.
Select the “>” button to move it from the “Available Access Levels” to the “Assigned Access Levels” panel. And hit OK.
- Grant View access to every individual developer (or to the “Data Services Designer Users” group or to a special dedicated group, for that matter) at the level of the Repositories folder. Make sure that, when using the default group for this, it comes with the default settings. If it doesn’t, simply reset security settings (on object repositories and on all children and descendants of object repositories) on the default group before attempting this operation.
- Grant “Full Control” access to every individual developer for his own repository.
When logging in to DS, developers see the full list of repositories they are granted access to. A value of “No” in the second column means full access, “Yes” means read-only.
Figure 18: Typical DS Designer logon screen
Don’t make the list too long. The logon screen is not resizable. And scrolling down may become very tedious!
4. Retrieving the DS repository password from the CMS
The users can now connect to the repositories from within DS Designer. When he starts the application, as an extra security feature, he is prompted for the (database) password of the repository:
Figure 19: Repository password
If this extra check is not wanted, it can be explicitly removed.
Return to the “User Security” dialog box that displays the access control list for the repository. Select the User, then the “Assign Security” button.
In the “Assign Security” dialog box, select the Advanced tab and then the “Add/Remove Rights” link.
Figure 20: Assign Security
Grant both “Allow user to retrieve password” and “Allow user to retrieve password that user owns” privileges and hit OK.
Figure 21: Add/remove Rights
DS Designer will not prompt for a database password anymore when the user tries to connect to this repository.
Note: By applying the same method at the level of the Repositories folder in the “Data Services” area in the CMC, this extra check will be removed from all repositories accessible by this user at once.























Thanks Dirk for wonderful and pain taking blog.
Very informative stuff
excellent !
Nice document.. ! 🙂
Excellent document.
Dirk ... Nice job ...Excellent document ..!!
Always wanted a document on this, thanks a million Sir.
Hello Dirk,
Can we configure to retrieve DS repository password from CMS for all the users which we create in future as well? We tried your 4th point on the group "Everyone", still users were prompted for password.
Basically, we don't want designer to prompt for password for anyone. Is there a way to disable that extra security once for all?
Sure. When you apply those instructions to the principal Everyone at the level of the Repositories folder, the extra check will be removed for all future users and all repositories for once and for all.
Thanks Dirk, Its actually working 🙂
Hello Dirk,
We have successfully upgraded our test environment from 4.0 to 4.2 using the upgrade patches.But after up-gradation we facing user access issues.
Problem Faced - In 4.0, when we provide access to particular user on BODS Data Service Designer ( View access ), So user will not be having execute or monitoring access on Management console unless the same user is included in Data Services operator Users or Data services Monitor Users groups respectively, but where as in 4.2 when we are including user on Data Services Designer Users group and providing view access only on BODS Data Services Designer, the same user can login to Management console and has full access on console ( User can execute jobs as well from console ) where in the user is not included in Data Services operator Users or Data services Monitor Users groups .
Basically, we don't want this to happen. Is there a way to disable this access ?
Hi Dirk,
Is it possible to assign folder/object specific privileges in BODS 4.x.?
As per my requirement I need a user which can execute only selected batch jobs from Data Services Management Console.
It should not have execute privileges on the entire repository...
Please let me know if it's possible!!!
Regards,
Upamanyu
No, that's not possible. Access rights are granted at repository level only.
You can solve your issue by creating a separate repository. Grant access to that repository to your user. And copy only those jobs to it you want that user to execute.
Hi Dirk,
my requirement is that the user should be able create and edit objects in the repository but should not be able to execute the batch jobs.
This is what I tried:
How can I restrict a user from executing batch jobs from their repository?
They should still be able to create and edit the objects.
Could you please help?
Thanks in advance.
Regards,
Anil.
You cannot. The privileges you're looking at refer to the DS Management Console. For DS Designer, there are only 2 options: full access with all options and read-only that prevents you from modifying the content.
I believe there is workaround, like blocking the job server by firewall form accessing from client computer. designer can still edit jobs but when running job will be prompted that job server error.
Hi,
Version 14.2.2.446
I'm having a problem where a user does not the connection to the Central Object Library activated automatically. Then when he goes to manually Activate he is prompted for the User and Password every time. I went thru all the above steps and it did not change the behavior.
Suggestions please ?
Thank you,
Peter.
Great document 🙂 Thanks for this
Hi
With BODS 4.2 SP6, does anyone know how to set security to give user readonly access to a repository within Management Console but allow them to be able to set schedule and/or abort batch job?
After spending several days, there does not appear to be a way to achieve this? I know there is a group called Data Services Monitor User but if I add this to the user as View only they are still unable to abort/set schedule unless if I give them full control on the repository which defeat the purpose the user would then be able to edit objects within the repository
Any suggestions?
Thanks
Paul
Remember that this is the BO authorization way.
If a permission is denied it doesn't matter if you allow in other group. Deny overwrite other permissions.
try with Data Services Monitor User and explicit allow the following:
one more very informative blog Dirk. was looking for such in-detail procedure. Thanks a lot for sharing & keep posting us.
Regards
Nawab
Great document Dirk !.
Hi Dirk,
Is there any way we can extract user list along wither there security properties?
Regards,
Balaij
Users are maintained in the CMC and stored i nthe CMS database. I know there are query possibilities on that database. Unfortunately, I cannot help you with the details. You should post your question in the BI space.
Hello Dirik,
Thank you for the wonderful Blog. I had a question. If you can show me the right path that would be great.
Is there any way we can create a group for Security administrator just to have access for user admin and group admin ? If yes, can I know how ?
Regards,
Preethi
Please check Section 7 Setting Rights in the Information platform services Administrator Guide (help.sap.com). Especially section 7.5 Using rights to delegate administration will be applicable.
Thank you so much Dirk. That really helped.
Regards,
Preethi
Hello Dirk Venken,
Recently we took over security and administration of this application and I had no idea where to start on security and I came across this blog.
This is great knowledge you shared with SAP Community. I really like this blog and it is providing step by step information on setting SAP Data Services Security.
+1 for this blog.
Thank you
Yogesh Patel
Thx Dirk,
That's a thing that I wanted to solve in our Data Services, to assign limited permissions to our developers.
🙂
Hi Dirk,
Is it possible to create custom access level in BODS.
Neetha
You mean by object type / object?
No, as authorisations are defined in the IPS, the level of granularity is limited to the IPS context.
Hello Dirk,
One of our Dev BODS system administrator user getting locked frequently.
As a work around we are logging in with different user and unlocking the administrator password.
As the product is cloud so this administrator user used across many teams.
For RCA , can you please let us know where can see the logs to find the reason of this user lock.
Regards,
Ananda
Most probably, somebody or something (an application) is trying to get access with a wrong password. Best approach is to activate auditing in the CMC on system access.
Hi Dirk,
User have read only access and able to run the jobs from console. But not able to abort and schedule.
How we can provide the access for this 2 specific functionality..
Thanks,
Have you tried to grant Manage batch job history?
Very well written blog!!! Thanks!