Michal’s PI tips: Authorizations for viewing payload of messages on Java stack – implementation

It seems that more and more companies want to restrict different people from viewing some types of messages on the PI server. On ABAP stack it’s pretty simple and you can do this easily with standard authorizations as shown in my old article:  SXMB_MONI – controlling access to message display

On the Java stack on the other hand it’s a bit more tricky and you need a bit more work. This article will show how to create a Java role for displaying content (payload) of all interface except one which needs to remain hidden.

Step 1

At first you need to define the requirements for payload access and group them into a Java stack role which can be assigned to your users. You can find a sample role XML file in OSS Note 1370334 (examplerole.zip) and you may only need to customize it so it does not require a lof of effort. In my Example I will create a new role: “XiMdt.ExampleRoleKrawczyk” and will assign one custom action to that role called: “payload_excrestriced”. In the same file I will create this new action “payload_excrestriced” and will assign the payload display access (Value=Payload) to all interfaces except those with the namespace krawczyk.com/restricted (hence <> value for the senderInterfaceNamespace). The role XML file can look more or less like the one shown in the Figure below:

For other display options and other parameters on the basis of which you can restrict access (like sender/receiver system, interface name, etc.) please have a look at the OSS notes from the “Notes” section of this article.

Step 2

Now you need to deploy the XML file with your user roles to your PI server.

a) open the deploy_ear.zip file from the OSS Note 1370334 and extract file sap.com~com.sap.xi.mdt.actions.ear from it

b) extract file sap.com~com.sap.xi.mdt.actions.ump from file sap.com~com.sap.xi.mdt.actions.ear

c) replace the actions.xml file in sap.com~com.sap.xi.mdt.actions.ump with your own XML file with your role

d) zip it all together back to the sap.com~com.sap.xi.mdt.actions.ear file (the file structure needs to remain the same as it was before the unzipping – you only need to replace the actions.xml file)

e) deploy the ear file using the JSPM to your PI server

Step 3

In order to enable custom roles for PI you need to enable one new parameter into your Exchange Profile – if you’re using java stack only PI you can do this in NWA if not you can do this in your old Exchange Profile application. The new parameter which needs to be added (under node – RuntimeWorkbench) is “com.sap.aii.rwb.server.auth.UME” with value “true”.

Important – to make it work you need to restart the server.

Step 4

Once you change the Exchange Profile parameter and restart the server you can assign the new role to your users in user admin application – http://<server>:<port>/useradmin as shown in Figure below.

Step 5

Testing your access:

For messages with a proper namespace we will be able to see the “Payload” node in the Message Monitoring as per our role + action’s configuration.

For messages with namespace “krawczyk.com/restricted” we will not even see the tab – Message Content in the Message Monitoring application.

Important Notes

1. Please remember that SAP also prepared a set of predefined roles – XiMdt.* and if your custom roles need to work you should remove the XiMdt.* roles from all users as XiMdt.* roles give full access to all monitoring objects.

2. More details for this configuration can be found in:

a) for PI 7.1 and higher versions – Note 1370334 – Securing Payloads in Message-Monitoring

b) for XI 3.0 and PI 7.0 –  Note 1162399 – Securing Payloads in Message-Monitoring