Skip to Content

Michal’s PI tips: Authorizations for viewing payload of messages on Java stack – implementation

It seems that more and more companies want to restrict different people from viewing some types of messages on the PI server. On ABAP stack it’s pretty simple and you can do this easily with standard authorizations as shown in my old article:  SXMB_MONI – controlling access to message display

On the Java stack on the other hand it’s a bit more tricky and you need a bit more work. This article will show how to create a Java role for displaying content (payload) of all interface except one which needs to remain hidden.

Step 1

At first you need to define the requirements for payload access and group them into a Java stack role which can be assigned to your users. You can find a sample role XML file in OSS Note 1370334 ( and you may only need to customize it so it does not require a lof of effort. In my Example I will create a new role: “XiMdt.ExampleRoleKrawczyk” and will assign one custom action to that role called: “payload_excrestriced”. In the same file I will create this new action “payload_excrestriced” and will assign the payload display access (Value=Payload) to all interfaces except those with the namespace (hence <> value for the senderInterfaceNamespace). The role XML file can look more or less like the one shown in the Figure below:


For other display options and other parameters on the basis of which you can restrict access (like sender/receiver system, interface name, etc.) please have a look at the OSS notes from the “Notes” section of this article.

Step 2

Now you need to deploy the XML file with your user roles to your PI server.

a) open the file from the OSS Note 1370334 and extract file from it

b) extract file from file


c) replace the actions.xml file in with your own XML file with your role

d) zip it all together back to the file (the file structure needs to remain the same as it was before the unzipping – you only need to replace the actions.xml file)

e) deploy the ear file using the JSPM to your PI server

Step 3

In order to enable custom roles for PI you need to enable one new parameter into your Exchange Profile – if you’re using java stack only PI you can do this in NWA if not you can do this in your old Exchange Profile application. The new parameter which needs to be added (under node – RuntimeWorkbench) is “” with value “true”.


Important – to make it work you need to restart the server.

Step 4

Once you change the Exchange Profile parameter and restart the server you can assign the new role to your users in user admin application – http://<server>:<port>/useradmin as shown in Figure below.


Step 5

Testing your access:

For messages with a proper namespace we will be able to see the “Payload” node in the Message Monitoring as per our role + action’s configuration.


For messages with namespace “” we will not even see the tab – Message Content in the Message Monitoring application.


Important Notes

1. Please remember that SAP also prepared a set of predefined roles – XiMdt.* and if your custom roles need to work you should remove the XiMdt.* roles from all users as XiMdt.* roles give full access to all monitoring objects.

2. More details for this configuration can be found in:

a) for PI 7.1 and higher versions – Note 1370334 – Securing Payloads in Message-Monitoring

b) for XI 3.0 and PI 7.0 –  Note 1162399 – Securing Payloads in Message-Monitoring

You must be Logged on to comment or reply to a post.
  • Hi Michal,

    During your test, did you only assign that custom role "XiMdt.ExampleRole" to your user, or was your user also assigned to UME groups (and corresponding roles), for example "SAP_XI_MONITOR_J2EE"?

    Because in my test, only with the custom role, I don't have access to any monitoring tool on J2EE stack...

    Also actions "" = display, etc should be assigned to view the messages?

    Thanks for the info!



  • Hi Michal,

    thanks for the article!

    Is the old way of importing roles in Identity Management not possible anymore? I remember it was just uploading a proper xml file there and no creation and deployment of ear files necessary.

    I had done this in 7.11 and I found this easier to be done on Java side than in ABAP. It was easier especially if you wanted to exclude namespaces or interfaces (for example, exclude only HR interfaces).

    What is the difference or the advantage of doing it the way you describe it?



  • Michal, would you know how I can get a short description of what each PI AEX 7.31 Role/Action does?

    Tried in the SAP help but it does not have a complete list of Actions.

    In the Identity Manager I see all available action but most of them have no description and it becomes hard to say what a or a caf~runtime~security~content-caf.developer really do and even harder to say if I need this action or not in a daily activity.

    Tks a lot!

  • Hi Michal,

    good article, thanks a lot!

    One question: Do we have to set the parameter in the exchange profile, even if we only want to use the standard XiMdt.* roles?

    Thanks in advance.

    Best regards,

    Markus Schalk

  • Hi Michal,

    Thanks for this blog ans insights. Your blog reflects ideas for Payload access restrictions for respective namespace. I was looking on posibilities to do the same for a respective Interface level.

    Let me know if any way out to perform this.

  • Hi Michal,


    Thanks for this useful blog. I have one doubt. Is there any path to deploy the ear file? Or can we deploy it using JSPM/NWDS? If so, do we need any path? I checked in the SAP note, but nothing is mentioned about the path.





  • HI Michal


    I have a question, would deploying a file with custom roles over write all the previous custom roles that are already present in a single stack PI system.

    I am also assuming that none of the default roles available would be deleted or removed.