CPA Cache refresh fails in NW 730 and NW 731 with PIDIRUSER or PICACHEUSER with message 403 Forbidden - No Authorization.

When you perform the CPA Cache refresh with the PIDIRUSER or PIDIR<SID>, It says that 403 Forbidden - You are not Authorized.

You have referred the SAP Note Note 1232259 - Security Note: Cache refresh with user change and made changes to the user roles. You have created ABAP RFC destination SAPXICACHE<client> and also followed SAP Note : Note 1673399 - PI Upgrade: No RFC authorization for user PIDIRUSER. Still You are facing the No Authorization issue.

The solution to this problem is to update the XI ADAPTER FRAMEWORK component to the latest patch level with the current support stack or if possible to the latest support stack level in your system.

It is no longer possible to call this page with a service user (for example PIDIRUSER or PISUPER). The Full CPA Cache refresh has to be performed with a Dialog or a System user.If possible, you can take help from security team to change the PIDIRUSER to a system user.

In addition the Role 'SAP_XI_ADMINISTRATOR_J2EE' needs to be added to the PIDIRUSER, along with the below mentioned roles.

SAP_BC_WEBSERVICE_PI_CFG_SRV

SAP_SLD_CONFIGURATOR

SAP_XI_ID_SERV_USER

SAP_XI_ID_SERV_USER_MAIN

A full CPA Cache refresh has immediate impact on the message processing. On large systems a full CPA cache refresh can take up to an hour. During this time only restricted message flow is possible.

The history of all CPA Cache updates and the current content can be displayed by the following URL:

http://<host>:<port>/CPACache/monitor.jsp

For further details, you can refer SAP notes

1592426 PI SEC: Unauthorized use of administrative functions in PI

1600539 - PI AF: Manual Execution of a CPA Cache Refresh

Thanks,

Kasi Vishwanatha Gupta