A typical authorization case in interface monitoring is that you need to restrict access to some interface for some users. This is a standard case and it can be easily implemented within proxy monitor too just like shown in one of my previous articles SXMB_MONI - controlling access to message display

What if there's a need to do the same on the content of a particular message? Imagine that business guys from one plant should not be able to view the interface data from another plant and vice versa and both are using the same interface. Such autorization is not possible within the standard proxy monitor - SXMB_MONI (nor in IDOC monitor - WE02/WE05) but this is where SAP AIF comes into place. With SAP AIF it's not only possible to do searching on the basis of the content of messages (using index tables) but it's also possible to implement authorization concept on the basic of content of messages.

Let's imagine we have a message like shown below which has two fields inside (Airline ID and Booking number).

We have implemented a search on indexed table for the airline ID field (just like shown in my article - Michal's tips: Application Interface Framework (AIF) - IDOC with custom selection criteria (index ta... so you can see that the messages are grouped according to the airline ID.

Now we'd like to make sure that the user is only able to view message data if the airline ID = AA and will not be able to display in case airline ID is different than AA. In order to achive that we need to do a few things as shown below.

Step 1

At first we need to create a new authorization object in transaction SU21. Create a new authorization object with class - AIF and two fields. One ACTVT (mandatory field) and with the field which is the same as your key field from the message - airline ID (same with carrid in my case). In case the authorization field is not available you can simply create a new one.

Step 2

For authorization field ACTVT you need to add some permitted actitivities which will define the what you can do with the message (like read, change, etc.). This is the list of the mandatory activities for this field:

Step 3

In the next step you need to add your authorization object to the role which will be assigned to the user who will be responsible for monitoring. You need to do that in transaction PCFG. You can either create a new role or update any of the existing roles. Once you add the authorization object to the role you will be able to select the properties for the authorizations fields.

Select all activities for field ACTVT.

Select AA airline ID in the carrid field (so user will only be able to view data when airline ID = AA).

Now you need to save and generate the role and then you can add it to your monitoring user. 

Step 4

The last step you need to do is to assign the authorization object to the AIF interface in transaction - /AIF/CUST - Error Handling - Interface Specific Features.

and then you need to assign the the authorization field to the key field defined for the AIF interface.

Step 5

Now when you open AIF monitoring transaction you will only see the message for airline ID = AA and nothing more.

I hope this short introduction to the AIF authorizations will let you design similar authorizations in your landscapes.