Skip to Content
Author's profile photo Daniel Graversen

Customizing standard Java roles for PI

I don’t work much with roles and authentication. I normally just want to get all the required roles and send information to the authentication person/group that something is missing. So this may be obvious to some of you authentication gurus, but hopefully it can enlighten someone else. If I’m wrong is some areas please comment.

At my current project, we needed to have all roles as custom. I did not know how the roles works on java, and how clients uses this data. I decided to spend a few minutes on learning more on the topic.

We want to make a call to the proxy engine on Java. So we need to have the role SAP_XI_APPL_SERV_USER on the user that calls the proxy. My initial thought was the application was checking for the role name.

This was fortunately not the case. Hopefully it I is just me, who have done it a few times. The applications from SAP is checking on capabilities. The look like the following.

Role actions.jpg

There does not seem to be a copy button on the role. There is an export, modify and import functionality. Watch the 3. minutes video to see how it works.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Michael Shea
      Michael Shea

      We refer to the capabilities as actions in the case of UME roles. These may be UME actions or standard Java security roles. See the documentation:

      Authorization Concept of the AS Java - Identity Management - SAP Library

      Author's profile photo Tobias Hofmann
      Tobias Hofmann

      Depending on the Java application, AS Java can demand that your user is part of a specific group / security role. Using actions is not mandatory of Java developers to secure their application.

      Author's profile photo Daniel Graversen
      Daniel Graversen

      Ok so i did not do any thing wrong when I was not using it actions.

      But this application is using the action.

      Author's profile photo Frank Koehntopp
      Frank Koehntopp

      Happy to see you in Security, Daniel!

      The text file export is a powerful tool for Java role management, as you can do role definition & assignment in one go.

      The actions in UME roles usually correspond to application functionality that can be identified by the name of the actions (exceptions confirming the rule) 😉

      If you have identified the actions you can customize the role by only including required actions in the role and create variations for special requirements.

      Be sure to watch out for new or changed actions when implementing support packs!

      Author's profile photo Daniel Graversen
      Daniel Graversen

      Hi Frank,

      I don't think I'll be making it a habit to update in the security area, but you new know what is next.

      Yes I can see that it creates a problem when upgrading. I guess that it is the same for abap roles/profiles where you can get more information. Though most authentication guys will not know about it on abap because it is something with pi or portal that we dont want to deal with.

      Author's profile photo Former Member
      Former Member

      What you must also be careful of is that these actions assigned to the SAP standard roles translate into PFCG ABAP roles if the UME engine is pointing to the default ABAP client as it will be in double-stack systems (SOLMAN and PI/XI will have that setup with almost certainty).

      So SAP does not know about your Z-roles (which you will have to create on the ABAP side as well if you want to be able to report nicely on who has which role) and all the documentation / wizards about which role to use on the ABAP side to get the JAVA actions to work will be lost. Webdynpro applications are also (increasingly) using personalizations which are maintained for the standard roles and made available to the users via the assignment on the ABAP stack, so you should think about those personalization keys as well.

      I would tend to suggest that custom roles for double stack based JAVA systems should only be used as "delta" roles if a standard one does not exist. It is certainly easier that way and almost everyone is doing it so you are not alone.



      Author's profile photo Daniel Graversen
      Daniel Graversen


      Thanks for the assistance. I can see that it will cause some problem with maintance of the roles.

      Author's profile photo Former Member
      Former Member

      @Former Member and Daniel

      So this means it is not recommended to do?


      Because we encountered an issue in the ABAP stack when create an RFC User.

      The requirement is to create an RFC user in ABAP Stack to connect with Mulesoft but it encountered an issue as we use the custom role. We are not allowed to use the SAP STANDARD role as it was prohibited by our IT Risks manager. (but if SAP Standard role was added to ABAP Stack, it would work)

      But when i add the SAP STANDARD Role in JAVA Stack, it would automatically updates the ABAP Stack. So the SAP Role still present in the RFC user (which is not allowed by our IT RISK Manager)

      Do you have some Idea on how can i connect with the Mulesoft without assigning any SAP STANDARD role in Abap Stack?