Skip to Content

Data Services user and rights management – step by step instructions

Data Services uses the Central Management Server (CMS) for user and rights management. In a stand-alone DS environment, the same functionality is supplied by the Information Platform Services (IPS). Setting up user security is a rather cumbersome process. The procedure for granting access to a DS developer consists of four steps:

  • Create the user
  • Grant access to the DS Designer application
  • Grant access to one or more (or all) repositories
  • Allow automatic retrieving of the DS repository password from the CMS

1. Creating the user

By default, the DS installation program does not create any user accounts. Use the “Users and Groups” management area of the CMC to create users.


Figure 1: User List

Right click on the “User List” entry, select New > “New User” and specify the required details.


Figure 2: Create New User

Select the “Create & Close” button to finalize this step.

2.  Granting access to DS Designer

User name and password are entered in the DS Designer Repository Logon window.


Figure 3: DS Repository logon

2.1. User management

Unfortunately, the newly created user only has a limited number of access rights by default. More specifically, authorization to run DS
Designer is not granted automatically.

When trying to start the application with this user and password, access is denied:


Figure 4: Access Denied

Access can be granted to an individual user in the Applications area of the CMC. Right-click “Data Services Application” and select “User Security”.


Figure 5: Applications area in CMC

Select the “Add Principals” button:


Figure 6: User security

Select the user from the “User List” in the “Available users/groups” panel and select the “>” button to move it to the “Selected users/groups” panel.


Figure 7: Add Principals

Select the Advanced tab and then the “Add/Remove Rights” link.


Figure 8: Assign Security

Grant access to Designer and select OK.


Figure 9: Add/remove Rights

2.2. Group management

As mentioned above, the DS installation program does not create any default user accounts. But it does create several default group accounts. One of these groups is called “Data Services Designer”. Members of this group automatically have access to the DS Designer.

After creating a new user, assign it to this group account. That will grant the user with access to DS Designer, the same result as with
the explicit user-level grant, but achieved in a much simpler way.

Return to the “Users and Groups” management area of the CMC. Right-click on the user and select “Join Group”.


Figure 10: Users and Groups

Select the group from the “Group List” in the “Available groups” panel and select the “>” button to move it to the “Destination Group(s)” panel and hit OK.


Figure 11: Join Group

3.  Granting access to the repositories

When an authorized user connects to the DS Designer application, following error message is displayed:


Figure 12: No repositories are associated with the user

That is because a user in the “Data Services Designer Users” group has no default access to any of the DS repositories:


Figure 13: Access control list: No access by default

If a user needs access to a given repository, that access has to be explicitly granted to him.

Navigate to the “Data Services” area in the CMC. Right-click on the name of the repository and select “User Security”.


Figure 14: Data Services

The “User Security” dialog box appears and displays the access control list for the repository. The access control list specifies the users and groups that are granted or denied rights to the repository.


Figure 15: User Security

Select the “Add Principals” button. Then select the users or groups from the “User List” or “Group List” respectively in the “Available users/groups” panel and select the “>” button to move it to the “Selected users/groups” panel. Finally, select “Add and Assign Security”.


Figure 16: Add principals

Select the access level to be granted to the user or group:

  • To grant read-only access to the repository, select “View”.
  • To grant full read and write access to the repository, select “Full Control”.
  • To deny all access to the repository, select “No Access”.

Select the “>” button to move it from the “Available Access Levels” to the “Assigned Access Levels” panel. And hit OK.


Figure 17: Assign security

Note: By applying the same method at the level of the Repositories folder in the “Data Services” area in the CMC, the user will be granted the same access level to all repositories at once. Both mechanisms can be combined to give the developers full control over their own repository and read access to anybody else’s:


  • Grant View access to every individual developer (or to the “Data Services Designer Users” group or to a special dedicated group, for that matter) at the level of the Repositories folder. Make sure that, when using the default group for this, it comes with the default settings. If it doesn’t, simply reset security settings (on object repositories and on all children and descendants of object repositories) on the default group before attempting this operation.
  • Grant “Full Control” access to every individual developer for his own repository.

When logging in to DS, developers see the full list of repositories they are granted access to. A value of “No” in the second column means full access, “Yes” means read-only.


Figure 18: Typical DS Designer logon screen


Don’t make the list too long. The logon screen is not resizable. And scrolling down may become very tedious!

4.  Retrieving the DS repository password from the CMS

The users can now connect to the repositories from within DS Designer. When he starts the application, as an extra security feature, he is prompted for the (database) password of the repository:


Figure 19: Repository password

If this extra check is not wanted, it can be explicitly removed.

Return to the “User Security” dialog box that displays the access control list for the repository. Select the User, then the “Assign Security” button.

In the “Assign Security” dialog box, select the Advanced tab and then the “Add/Remove Rights” link.


Figure 20: Assign Security

Grant both “Allow user to retrieve password” and “Allow user to retrieve password that user owns”  privileges and hit OK.


Figure 21: Add/remove Rights

DS Designer will not prompt for a database password anymore when the user tries to connect to this repository.

Note: By applying the same method at the level of the Repositories folder in the “Data Services” area in the CMC, this extra check will be removed from all repositories accessible by this user at once.

You must be Logged on to comment or reply to a post.
  • Hello Dirk,

    Can we configure to retrieve DS repository password from CMS for all the users which we create in future as well? We tried your 4th point on the group "Everyone", still users were prompted for password.

    Basically, we don't want designer to prompt for password for anyone. Is there a way to disable that extra security once for all?

  • Hello Dirk,

    We have successfully upgraded our test environment from 4.0 to 4.2 using the upgrade patches.But after up-gradation we facing user access issues.

    Problem Faced - In 4.0, when we provide access to particular user on BODS Data Service Designer ( View access ), So user will not be having execute or monitoring access on Management console unless the same user is included in Data Services operator Users or Data services Monitor Users groups respectively, but where as in 4.2 when we are including user on Data Services Designer Users group and providing view access only on BODS Data Services Designer, the same user can login to Management console and has full access on console ( User can execute jobs as well from console ) where in the user is not included in Data Services operator Users or Data services Monitor Users groups .

    Basically, we don't want this to happen. Is there a way to disable this access ?

  • Hi Dirk,

    Is it possible to assign folder/object specific privileges in BODS 4.x.?

    As per my requirement I need a user which can execute only selected batch jobs from Data Services Management Console.

    It should not have execute privileges on the entire repository...

    Please let me know if it's possible!!!



    • No, that's not possible. Access rights are granted at repository level only.

      You can solve your issue by creating a separate repository. Grant access to that repository to your user. And copy only those jobs to it you want that user to execute.

  • Hi Dirk,

    my requirement is that the user should be able create and edit objects in the repository but should not be able to execute the batch jobs.

    This is what I tried:

    • Copied the full control access level to new access level (named "Edit") and denied below rights:

    Application Rights.JPG

    Application Rights2.JPG

    • Basically the access level allows only "Access to Designer"; All the remaining rights are "Not Specified"
    • Created user (edit_user)
    • User is part of a group called "edit_group"
    • This group is assigned "edit" acess level in Data Services Application
    • The user "edit_user" is assigned "edit" access level to the repository
    • now, edit_user is still able to login and execute batch jobs from Designer.

    How can I restrict a user from executing batch jobs from their repository?

    They should still be able to create and edit the objects.

    Could you please help?

    Thanks in advance.



    • You cannot. The privileges you're looking at refer to the DS Management Console. For DS Designer, there are only 2 options: full access with all options and read-only that prevents you from modifying the content.

      • I believe there is workaround, like blocking the job server by firewall form accessing from client computer. designer can still edit jobs but when running job will be prompted that job server error.

  • Hi,


    I'm having a problem where a user does not the connection to the Central Object Library activated automatically.  Then when he goes to manually Activate he is prompted for the User and Password every time.  I went thru all the above steps and it did not change the behavior.

    Suggestions please ?

    Thank you,


  • Hi

    With BODS 4.2 SP6, does anyone know how to set security to give user readonly access to a repository within Management Console but allow them to be able to set schedule and/or abort batch job?

    After spending several days, there does not appear to be a way to achieve this?  I know there is a group called Data Services Monitor User but if I add this to the user as View only they are still unable to abort/set schedule unless if I give them full control on the repository which defeat the purpose the user would then be able to edit objects within the repository

    Any suggestions?



    • Remember that this is the BO authorization way.

      If a permission is denied it doesn't matter if you allow in other group. Deny overwrite other permissions.

      try with Data Services Monitor User and explicit allow the following:


    • Users are maintained in the CMC and stored i nthe CMS database. I know there are query possibilities on that database. Unfortunately, I cannot help you with the details. You should post your question in the BI space.

  • Hello Dirik,


    Thank you for the wonderful Blog. I had a question. If you can show me the right path that would be great.

    Is there any way we can create a group for Security administrator just to have access for user admin and group admin ? If yes, can I know how ?




  • Hello Dirk Venken,

    Recently we took over security and administration of this application and I had no idea where to start on security and I came across this blog.

    This is great knowledge you shared with SAP Community. I really like this blog and it is providing step by step information on setting SAP Data Services Security.

    +1 for this blog.

    Thank you

    Yogesh Patel

    • You mean by object type / object?

      No, as authorisations are defined in the IPS, the level of granularity is limited to the IPS context.

  • Hello Dirk,


    One of our Dev BODS system administrator user getting locked frequently.

    As a work around we are logging in with different user and unlocking the administrator password.

    As the product is cloud so this administrator user used across many teams.

    For RCA , can you please let us know where can see the logs to find the reason of this user lock.



    • Most probably, somebody or something (an application) is trying to get access with a wrong password. Best approach is to activate auditing in the CMC on system access.

  • Hi Dirk,


    User have read only  access and able to run the jobs from console. But not able to abort and schedule.


    How we can provide the access for this 2 specific functionality..