about how we can control access to message display. This weblogs shows
how you can use the authorization concept to restrict access to message payload
by using standard authorization object.
Let’s start from the beggining:
From SAP Note 742324 – New authorization concept
we can learn that in order to use authorization concept for XI message monitoring
we should use S_XMB_MONI authorization object instead of S_XMB_DSP .
As a start we can copy standard role SAP_XI_MONITOR_ABAP for displaying XML messages (TCODE – PFCG):
Now we can delete both objects for XML message display:
Once we delete those objects we can Manually add object S_XMB_MONI.
In this exercise we’ll try to give full access to the following activities (descriptions from object’s S_XMB_MONI documentation):
02 = Change the SOAP header/body of an XML message
03 = Display the SOAP header/body of an XML messag
16 = Reschedule failed XML message
A3 = Change the status of an XML message manually
we’ll just restrict access to:
29 = Display the payload of an XML message
We can also tell exactly which interface/service/namespace can be used:
SXMBPARTY= Communication Party
SXMBPRTAG= Issuing Agency
SXMBPRTTYP= Identification Scheme
SXMBIFNS = Interface Namespace
Once we fill those we can generate the role and add it to one of our users.
The user will now be able to use SXMB_MONI but when he tries to see the message payload he’ll see:
You can use standard report: RSUSR070 to see which roles have S_XMB_MONI object assigned.
I hope this weblog will help to understand how message display can be restricted to some non basis XI developers.