Skip to Content
Author's profile photo Michal Krawczyk

Michal’s PI tips: Authorizations for viewing payload of messages on Java stack – implementation

It seems that more and more companies want to restrict different people from viewing some types of messages on the PI server. On ABAP stack it’s pretty simple and you can do this easily with standard authorizations as shown in my old article:  SXMB_MONI – controlling access to message display

On the Java stack on the other hand it’s a bit more tricky and you need a bit more work. This article will show how to create a Java role for displaying content (payload) of all interface except one which needs to remain hidden.

Step 1

At first you need to define the requirements for payload access and group them into a Java stack role which can be assigned to your users. You can find a sample role XML file in OSS Note 1370334 ( and you may only need to customize it so it does not require a lof of effort. In my Example I will create a new role: “XiMdt.ExampleRoleKrawczyk” and will assign one custom action to that role called: “payload_excrestriced”. In the same file I will create this new action “payload_excrestriced” and will assign the payload display access (Value=Payload) to all interfaces except those with the namespace (hence <> value for the senderInterfaceNamespace). The role XML file can look more or less like the one shown in the Figure below:


For other display options and other parameters on the basis of which you can restrict access (like sender/receiver system, interface name, etc.) please have a look at the OSS notes from the “Notes” section of this article.

Step 2

Now you need to deploy the XML file with your user roles to your PI server.

a) open the file from the OSS Note 1370334 and extract file from it

b) extract file from file


c) replace the actions.xml file in with your own XML file with your role

d) zip it all together back to the file (the file structure needs to remain the same as it was before the unzipping – you only need to replace the actions.xml file)

e) deploy the ear file using the JSPM to your PI server

Step 3

In order to enable custom roles for PI you need to enable one new parameter into your Exchange Profile – if you’re using java stack only PI you can do this in NWA if not you can do this in your old Exchange Profile application. The new parameter which needs to be added (under node – RuntimeWorkbench) is “” with value “true”.


Important – to make it work you need to restart the server.

Step 4

Once you change the Exchange Profile parameter and restart the server you can assign the new role to your users in user admin application – http://<server>:<port>/useradmin as shown in Figure below.


Step 5

Testing your access:

For messages with a proper namespace we will be able to see the “Payload” node in the Message Monitoring as per our role + action’s configuration.


For messages with namespace “” we will not even see the tab – Message Content in the Message Monitoring application.


Important Notes

1. Please remember that SAP also prepared a set of predefined roles – XiMdt.* and if your custom roles need to work you should remove the XiMdt.* roles from all users as XiMdt.* roles give full access to all monitoring objects.

2. More details for this configuration can be found in:

a) for PI 7.1 and higher versions – Note 1370334 – Securing Payloads in Message-Monitoring

b) for XI 3.0 and PI 7.0 –  Note 1162399 – Securing Payloads in Message-Monitoring

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Brecht Bauwens
      Brecht Bauwens

      Hi Michal,

      During your test, did you only assign that custom role "XiMdt.ExampleRole" to your user, or was your user also assigned to UME groups (and corresponding roles), for example "SAP_XI_MONITOR_J2EE"?

      Because in my test, only with the custom role, I don't have access to any monitoring tool on J2EE stack...

      Also actions "" = display, etc should be assigned to view the messages?

      Thanks for the info!



      Author's profile photo Former Member
      Former Member

      Hi Michal,

      thanks for the article!

      Is the old way of importing roles in Identity Management not possible anymore? I remember it was just uploading a proper xml file there and no creation and deployment of ear files necessary.

      I had done this in 7.11 and I found this easier to be done on Java side than in ABAP. It was easier especially if you wanted to exclude namespaces or interfaces (for example, exclude only HR interfaces).

      What is the difference or the advantage of doing it the way you describe it?



      Author's profile photo Alexander Aigner
      Alexander Aigner

      Worked like a charm on PI 7.31 Java only. Even without restart after deployment. Did it anyway =)

      Author's profile photo Hareesh Gampa
      Hareesh Gampa

      Thanks Michal. Was looking for it 🙂

      Author's profile photo Rafael Vieira
      Rafael Vieira

      Michal, would you know how I can get a short description of what each PI AEX 7.31 Role/Action does?

      Tried in the SAP help but it does not have a complete list of Actions.

      In the Identity Manager I see all available action but most of them have no description and it becomes hard to say what a or a caf~runtime~security~content-caf.developer really do and even harder to say if I need this action or not in a daily activity.

      Tks a lot!

      Author's profile photo Matías Denker
      Matías Denker

      Hi. Great post. Is it possible to secure both payload AND header? we need to hide header from monitor. Thanks.

      Author's profile photo Former Member
      Former Member

      Hi Michal,

      We need some help how we can see the ump file details to replace the actions.xml .



      Author's profile photo Markus Schalk
      Markus Schalk

      Hi Michal,

      good article, thanks a lot!

      One question: Do we have to set the parameter in the exchange profile, even if we only want to use the standard XiMdt.* roles?

      Thanks in advance.

      Best regards,

      Markus Schalk

      Author's profile photo Former Member
      Former Member

      Hi Michal,

      Thanks for this blog ans insights. Your blog reflects ideas for Payload access restrictions for respective namespace. I was looking on posibilities to do the same for a respective Interface level.

      Let me know if any way out to perform this.

      Author's profile photo Dibyajit Das
      Dibyajit Das

      Hi Michal,


      Thanks for this useful blog. I have one doubt. Is there any path to deploy the ear file? Or can we deploy it using JSPM/NWDS? If so, do we need any path? I checked in the SAP note, but nothing is mentioned about the path.





      Author's profile photo Preetam Ganesh Rao Pawar
      Preetam Ganesh Rao Pawar

      HI Michal


      I have a question, would deploying a file with custom roles over write all the previous custom roles that are already present in a single stack PI system.

      I am also assuming that none of the default roles available would be deleted or removed.