Skip to Content

It seems that more and more companies want to restrict different people from viewing some types of messages on the PI server. On ABAP stack it’s pretty simple and you can do this easily with standard authorizations as shown in my old article:  SXMB_MONI – controlling access to message display

On the Java stack on the other hand it’s a bit more tricky and you need a bit more work. This article will show how to create a Java role for displaying content (payload) of all interface except one which needs to remain hidden.

Step 1

At first you need to define the requirements for payload access and group them into a Java stack role which can be assigned to your users. You can find a sample role XML file in OSS Note 1370334 (examplerole.zip) and you may only need to customize it so it does not require a lof of effort. In my Example I will create a new role: “XiMdt.ExampleRoleKrawczyk” and will assign one custom action to that role called: “payload_excrestriced”. In the same file I will create this new action “payload_excrestriced” and will assign the payload display access (Value=Payload) to all interfaces except those with the namespace krawczyk.com/restricted (hence <> value for the senderInterfaceNamespace). The role XML file can look more or less like the one shown in the Figure below:

/wp-content/uploads/2012/10/auth_blog_1_143847.png

For other display options and other parameters on the basis of which you can restrict access (like sender/receiver system, interface name, etc.) please have a look at the OSS notes from the “Notes” section of this article.

Step 2

Now you need to deploy the XML file with your user roles to your PI server.

a) open the deploy_ear.zip file from the OSS Note 1370334 and extract file sap.com~com.sap.xi.mdt.actions.ear from it

b) extract file sap.com~com.sap.xi.mdt.actions.ump from file sap.com~com.sap.xi.mdt.actions.ear

/wp-content/uploads/2012/10/auth_blog_2_143848.png

c) replace the actions.xml file in sap.com~com.sap.xi.mdt.actions.ump with your own XML file with your role

d) zip it all together back to the sap.com~com.sap.xi.mdt.actions.ear file (the file structure needs to remain the same as it was before the unzipping – you only need to replace the actions.xml file)

e) deploy the ear file using the JSPM to your PI server

Step 3

In order to enable custom roles for PI you need to enable one new parameter into your Exchange Profile – if you’re using java stack only PI you can do this in NWA if not you can do this in your old Exchange Profile application. The new parameter which needs to be added (under node – RuntimeWorkbench) is “com.sap.aii.rwb.server.auth.UME” with value “true”.

/wp-content/uploads/2012/10/auth_blog_3_143849.png

Important – to make it work you need to restart the server.

Step 4

Once you change the Exchange Profile parameter and restart the server you can assign the new role to your users in user admin application – http://<server>:<port>/useradmin as shown in Figure below.

auth_blog_4.JPG

Step 5

Testing your access:

For messages with a proper namespace we will be able to see the “Payload” node in the Message Monitoring as per our role + action’s configuration.

Auth_blog_5.png

For messages with namespace “krawczyk.com/restricted” we will not even see the tab – Message Content in the Message Monitoring application.

/wp-content/uploads/2012/10/auth_blog_6_143852.png

Important Notes

1. Please remember that SAP also prepared a set of predefined roles – XiMdt.* and if your custom roles need to work you should remove the XiMdt.* roles from all users as XiMdt.* roles give full access to all monitoring objects.

2. More details for this configuration can be found in:

a) for PI 7.1 and higher versions – Note 1370334 – Securing Payloads in Message-Monitoring

b) for XI 3.0 and PI 7.0 –  Note 1162399 – Securing Payloads in Message-Monitoring

To report this post you need to login first.

9 Comments

You must be Logged on to comment or reply to a post.

  1. Brecht Bauwens

    Hi Michal,

    During your test, did you only assign that custom role “XiMdt.ExampleRole” to your user, or was your user also assigned to UME groups (and corresponding roles), for example “SAP_XI_MONITOR_J2EE”?

    Because in my test, only with the custom role, I don’t have access to any monitoring tool on J2EE stack…

    Also actions “com.sap.xi.rwb” = display, etc should be assigned to view the messages?

    Thanks for the info!

    KR,

    Brecht

    (0) 
  2. Jörg Thiesmann

    Hi Michal,

    thanks for the article!

    Is the old way of importing roles in Identity Management not possible anymore? I remember it was just uploading a proper xml file there and no creation and deployment of ear files necessary.

    I had done this in 7.11 and I found this easier to be done on Java side than in ABAP. It was easier especially if you wanted to exclude namespaces or interfaces (for example, exclude only HR interfaces).

    What is the difference or the advantage of doing it the way you describe it?

    Regards,

    Jörg

    (0) 
  3. Rafael Vieira

    Michal, would you know how I can get a short description of what each PI AEX 7.31 Role/Action does?

    Tried in the SAP help but it does not have a complete list of Actions.

    In the Identity Manager I see all available action but most of them have no description and it becomes hard to say what a com.sap.aii.af.app-xi_af_rtc or a caf~runtime~security~content-caf.developer really do and even harder to say if I need this action or not in a daily activity.

    Tks a lot!

    (0) 
  4. Markus Schalk

    Hi Michal,

    good article, thanks a lot!

    One question: Do we have to set the parameter com.sap.aii.rwb.server.auth.UME in the exchange profile, even if we only want to use the standard XiMdt.* roles?

    Thanks in advance.

    Best regards,

    Markus Schalk

    (0) 
  5. mithali rathi

    Hi Michal,

    Thanks for this blog ans insights. Your blog reflects ideas for Payload access restrictions for respective namespace. I was looking on posibilities to do the same for a respective Interface level.

    Let me know if any way out to perform this.

    (0) 

Leave a Reply