It is important that the correct ‘roles’ are specified before assigning the necessary authorizations. Rather than saying ‘what access do I need‘ why not approach it from the opposite direction and say ‘what do I need to do‘. It is important that each person has the access they need and no more. It is all too easy give in and assign the equivalent of SAP_ALL (which I have seen suggested on numerous blog postings) and leave it at that. You then have no idea who is doing what and the auditors will come down on you like a ton of bricks.


We recently installed a SAP NW PO 7.31 Single Stack landscape and I worked with my companies authorization team to perfect the roles and identify the necessary authorizations. This is an ongoing process as we are not using BPM/BRM at the moment so I know we have more work to do. Anyway, we identified four specific roles

  • Administrator – System administration, governance, transports, support and also development
  • Developer – The name says it all!!
  • Display – Used by process specialists and support teams providing very limited access
  • Service Account – Used the integration processes to authenticate.

I have intentionally left our our technical teams – security and basis. Those roles were developed separately. The next challenge was identifying the authorizations. The process has been a little hit and miss at times and required testing with the various teams. In the end what we came up with is shown below. I have to say that the SAP documentation was very good (once I found it) and I have included all the relevant links below

DEVELOPER
SAP_SLD_GUEST Read only access to the SLD.
SAP_XI_DEVELOPER_J2EE Developer Roles.
SAP_XI_APPL_SERV_USER Service User Role. Added as one of our third party adapters uses this role and it is useful for testing.
SAP_JAVA_WSNAVIGATOR Allows access to the SAP Web Services Navigator to test developments.
SERVICES_REGISTRY_READ_WRITE Access to service registry to read and write entries

SAP_PI_B2B_TPM_ADMIN

SAP_PI_B2B_NRO_ADMIN

Allows end user to maintain Trading Partner Profiles in B2B IC Allows user to maintain Number Ranges

XiDir_**_Dir_Profile

XiRep_***_Rep_Profile

Roles to control access to objects in the Repository and Directory. Not used in development but restrict access to existing ID objects only for all other systems to allow post transport configurations only.
ADMINISTRATOR
SAP_SLD_ADMINISTRATOR Full access to the SLD

SAP_XI_DEVELOPER_J2EE

SAP_XI_CONFIGURATOR_J2EE

SAP_XI_CONTENT_ORGANIZER_J2EE

SAP_XI_ADMINISTRATOR_J2EE

Developer Roles
SAP_XI_APPL_SERV_USER Service User Role. Added as the Service User Role. Added as one of our third party adapters uses this role and it is useful for testing.
SAP_XI_API_DEVELOP_J2EE Allows the consumption of the PO API’s.
SAP_JAVA_WSNAVIGATOR Allows access to the SAP Web Services Navigator to test developments.
SERVICES_REGISTRY_TECHNICAL_ADMINISTRATOR Full access to the service registry

SAP_PI_B2B_SUPERADMIN_J2EE

SAP_PI_B2B_TPM_ADMIN

Access to all B2B functions
NWA_SUPERADMIN Access to NWA for administration purposes

XiDir_**_Dir_Profile

XiRep_***_Rep_Profile

Roles to control access to objects in the Repository and Directory. Not used in development but restrict access to existing ID objects only for all other systems to allow post transport configurations only.
SUPPORT ACCOUNT
SAP_XI_DISPLAY_USER_J2EE Access Java stack, display purposes only.
SAP_XI_MONITOR_J2EE View messages in the Message Monitor.
SERVICE ACCOUNT
SAP_XI_APPL_SERV_USER Service User Role.

Reference Material

SAP Netweaver Security Guide

User Management and Authorization Concepts (AEX)

Role-Based Authorizations in ES Repository and Integration Director

Business Rules Management Security Guide

Business Process Management Security Guide

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply