Skip to Content

When working with many developers we may want to restrict the access for some objects
to some of them (either change, or delete for instance)
XI allows us to do it very easily and this is a simple example on how to start using so called “Data Dependent Authorizations”.

In the initial situation we have access to all objects and when we click Change button
we can change any object we want (unless the software component version is not checked “Objects are modifiable”)

image

but we’d like to change this and forbid our user to access Message mappings in one software component version.

1. From the Integration builder: Repository let’s go to Tools -> User Roles -> New

2. Let’s name our role: SampleRestriction

3. Now we’ll Exclude access to our Software component version + for all of it’s namespaces and exclude access to all Message Mappings from that component.

image
This picture was changed a little bit so it’s easier to see all objects on it.

Obviously we can choose many other Objects if we want

image

4. Then hit save & activate our role.

5. Now we have to go to the: http://server:port/useradmin to assing the new role to our user

but before that make sure you got
com.sap.aii.util.server.auth.activation property set to true in your ExchangeProfile
– IntegrationBuilder
— IntegrationBuilder.Repository

6. Click Roles -> search for role XiRep_Samplerestriction

7. Assign users to…

image

8. Then we can add a user to the new role.

image

 

image

9. Now we can see that our user has been added.
We can log on to the XI Repository and when we click the Change button for the Message mapping we’ll see:

image

 

**********************************************************************************

More information about repository authorizations can be found on:

1. User Roles – help.sap.com
http://help.sap.com/saphelp_nw04/helpdata/en/f4/67b340be3dff5fe10000000a155106/content.htm

2. Latest XI configuration guide under:
Users with Data-Dependent Authorizations

**********************************************************************************

 

To report this post you need to login first.

11 Comments

You must be Logged on to comment or reply to a post.

    1. Michal Krawczyk Post author
      Hi Siva,

      Thx:)
      but the truth is that I (as a developer)
      don’t want to have restricted access ๐Ÿ™‚

      BTW
      I keep reading you contributions too and I really like he one with the message flow ๐Ÿ™‚

      you too keep on (web)blogging ๐Ÿ™‚

      Regards,
      michal

      (0) 
  1. Former Member
    Helps a lot with implementation projects involving bigger team size and avoids last minute surprises!! And if teams are geographically seperated , then u know the chaos , Keep Going
    (0) 
    1. Michal Krawczyk Post author
      Hi Saravana,

      The chaos can even be if there are many teams on one place:)
      but we have to create “managed chaos” ๐Ÿ™‚ 

      Regards,
      michal

      (0) 
  2. Former Member
    Hi Michel,

    I tryed your blog.but, when i click the change button in the repository objtct its not performing perticular role.

    i was configured ExchangeProfile parametes and created new user and its roles.

    Would you tell where i done mistake. according to your blog.

    (0) 
  3. Former Member
    hi Michal

    i did this, but somehow for reason i don’t know yet when i add the com.sap.aii.util.server.auth.activation  in ExchangeProfile –> IntegrationBuilder ๏ฟฝ¨ IntegrationBuilder.Repository    it is also added in  IntegrationBuilder.Directory

    I’ve repeated it 5 times already but it is really getting added in the IntegrationBuilder.Directory,  which then applies the restriction also to Directory objects

    Our system is XI 3.0  SP19

    would you know why this happens?

    (0) 
  4. HI,
    I have tried it but I can continue modifing objects.

    1. I have created a user in XI (Trans. SU01) with role SAP_XI_DEVELOPER.

    2. I have create the Exchange profile parameter with true, and restart J2EE

    3. I have created a role in IR:
    Exclude/SWCV/*/Exclude/Message Mapping/Full Edit

    4. I have assigned the role to the user

    and the user can modify all objects in the SWCV.

    Could you help me?

    (0) 

Leave a Reply