SAP Data Archiving & ILM Authorization Roles
In SAP Data Archiving, proper authorization roles are crucial to ensure users can only access the data and archiving objects they’re permitted to. Below is a list of common authorization roles and objects used in SAP Data Archiving, particularly in ILM (Information Lifecycle Management) and classic SARA-based archiving.
1. Key Authorization Objects for SAP Data Archiving
These are the technical authorization objects assigned to roles via transaction PFCG.
2. Common Archiving Roles (SAP Delivered or Custom)
SAP doesn’t always deliver pre-built roles for archiving, but you can either create custom roles or base them off templates like these:
| Role Name | Description |
|---|---|
| Z_ARCHIVE_ADMIN | Full access to all archiving functions (write, delete, display, ILM access) |
| Z_ARCHIVE_DISPLAY | Display/archive logs and archive files only – no write or delete |
| Z_ILM_ADMIN | Full ILM object management including policies, rules, and retention |
| Z_ILM_USER | End-user role for executing ILM-based archiving activities |
| SAP_BC_SRV_ARC_ADMIN | (SAP NetWeaver role) Contains basic authorizations for archiving services |
| SAP_ILM_ADMIN | (If available) Role template for ILM administration (customize as needed) |
3. Transaction Codes Related to Archiving (Need S_TCODE)
Users need access to these T-codes via S_TCODE in their roles:
| Transaction | Description |
|---|---|
| SARA | Central archive administration (classic archiving) |
| ILMSTOREADM | Administer ILM store and storage systems |
| ILMWORKCENTER | ILM Work Center (Web UI) |
| AOBJ | Archive object definition |
| SARI | Archive Information System (read archived data) |
| FILE | Logical file path configuration |
| WE20 | Partner profile (for ALE archiving scenarios) |
4. Role Design Best Practices
- Least Privilege: Assign only what the user needs (e.g., display-only vs admin)
- Split duties: Separate roles for writing and deleting archive files
- Transaction logging: Enable logging for sensitive archiving activities
- Audit compliance: Ensure roles meet audit and retention policy requirements (especially with ILM)
5. ILM-Specific Enhancements (if using ILM)
In ILM, you often work with:
- Policies (retention, destruction, legal hold)
- ILM Store (integration with storage system)
- Audit-proof archiving
This requires fine-grained authorizations like:
- S_ILM_STOR: controls storage system operations
- S_ILM_LKPR: controls legal case handling
These are not needed in classic SARA-based archiving, only in ILM setups.
Role Templates You Need (Hybrid Archiving & ILM)
| Role Name | Description |
|---|---|
| Z_ARCHIVE_ADMIN | Full admin access to both SARA and ILM archiving activities |
| Z_ARCHIVE_USER | End-user role: can schedule and view archiving jobs, but can’t delete archives |
| Z_ARCHIVE_DISPLAY | Display-only access: can review logs, read archived data, but cannot archive or delete anything |
Important Notes
- Use SU24 to check default authorizations for each transaction
- Restrict S_DATASET and S_ARCHIVE per archiving object or logical file if needed
- Always test in QA before going live—wrong S_DATASET values can allow access to critical file paths
Next Steps
If you'd like a ready-to-import file for SAP Role Maintenance (PFCG), feel free to contact us and we’ll send it to you directly.
- A .TXT or JSON export of these roles (for upload via PFCG)
- A script to generate these roles using SAP scripting tools
- A PDF cheat sheet to hand over to your SAP security consultant
What You’ll Get in the PDF:
- Role Overview Table (Admin, User, Display)
- Detailed Authorization Object Breakdown
- Transaction Codes Required
- Best Practices (Security, Audit Compliance)
- Bonus Tips (ILM-specific access considerations)
Name of the PDF: SAP Data Archiving & ILM – Authorization Role
