Skip to Content

SAP MII : Role based access to content


Have you ever wanted to give users access to certain content depending on their roles ? This blog explores one such method of doing so. Though I’ll be using SAP MII 12.0 throughout the example, this would be relevant to MII 11.5 as well with little or no changes. Point to note is that the User Management in MII 12.0 is handled by the User Management Engine(UME) of Netweaver.


There are two approaches by which this can be acheived :

IRPT or MII Reports (refer to this SAP Help Link for MII 11.5 (  for more details. Though this is specific to 11.5, it applies to 12.0 as well.)


IRPT pages have access to the MII session variables and I’ll be using the IllumLoginRoles session property which returns a comma separated list of all the roles assigned to the user for this purpose.

Example and Sample Code

For this example lets create a role *TEST_ACCESS in the Netweaver UME. We’ll check the user for this role and will grant him access only if  this role is assigned to him.</p><p>The javascript code that we will use for this is given below :</p><p>—-

BEGIN OF CODE – Javascript


function checkAccess(){

var roleToCheck = “TEST_ACCESS”;

var myAssignedRoles = myRoles.value;

if (myAssignedRoles.indexOf(roleToCheck) != -1){

document.write (“h3. Access Granted !



document.write (“h3. Access Denied !




<input id=”myRoles” type=”hidden” value=”“>







</p><pre><html><br/><head><br/><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"/><br/><title>Role Based Access</title><br/></head><br/><body><br/><%<br />String roleToAccess = "TEST_ACCESS";<br/>String myRoles = (String)session.getAttribute("IllumLoginRoles") ;<br/>if (myRoles.indexOf(roleToAccess) != -1 ){<br/>out.println("h3. Access Granted !
");<br/>}else{<br/>out.println("h3. Access Denied !
");<br/>}<br/>%><br/></body><br/></html> </pre><p>



</p><p>Note : If you read the comments below on this blog, you’ll know that the Javascript approach is not secure. True. Therefore the advice from my side would be to use the JSP approach since all access validation should be done on the server side and not on the client side.*

Now lets’s test this peice of code for someone who does not have the role assigned to them.


Let’s now create this role in the UME by accessing it through http://:/useradmin.

0.1. Select the *Search Criteria  *as Role.


Click on Create Role. 0.1. Enter the role name as *TEST_ACCESS *and save.

0.1. Now to assign the role to the user :

0.2. select the *Search Criteria  *as User.


Enter the username and click on Go. 0.1.

Select the user and click on Modify.0.1. Go to the *Assigned Roles *tab.


Enter the role name TEST_ACCESS in the *Available Roles *tab and click on Go.0.1. Select the role and click on *Add  *to assign the role to the user.

0.2. Click on *Save *to save the assignment.

Run the same page again and Voila ! this is what you should see :


You must be Logged on to comment or reply to a post.
  • Be aware that content in the irpt page can be viewed pretty easy, as the javascript first is executed when the page has been loaded into the browser!
    • Very true ! Specifically so if the network connection the page is being viewed in is slow !
      I had this is mind when I wrote this blog. Apparently JSP is a better solution security wise as access restrictions like this are best handled server side. The code is merely a simple demonstration on how this can be simply handled using javascript. Maybe I’ll also add the JSP code snippet so that everyone else can use it 🙂