It is important that the correct 'roles' are specified before assigning the necessary authorizations. Rather than saying 'what access do I need' why not approach it from the opposite direction and say 'what do I need to do'. It is important that each person has the access they need and no more. It is all too easy give in and assign the equivalent of SAP_ALL (which I have seen suggested on numerous blog postings) and leave it at that. You then have no idea who is doing what and the auditors will come down on you like a ton of bricks.
We recently installed a SAP NW PO 7.31 Single Stack landscape and I worked with my companies authorization team to perfect the roles and identify the necessary authorizations. This is an ongoing process as we are not using BPM/BRM at the moment so I know we have more work to do. Anyway, we identified four specific roles
I have intentionally left our our technical teams - security and basis. Those roles were developed separately. The next challenge was identifying the authorizations. The process has been a little hit and miss at times and required testing with the various teams. In the end what we came up with is shown below. I have to say that the SAP documentation was very good (once I found it) and I have included all the relevant links below
DEVELOPER | |
SAP_SLD_GUEST | Read only access to the SLD. |
SAP_XI_DEVELOPER_J2EE | Developer Roles. |
SAP_XI_APPL_SERV_USER | Service User Role. Added as one of our third party adapters uses this role and it is useful for testing. |
SAP_JAVA_WSNAVIGATOR | Allows access to the SAP Web Services Navigator to test developments. |
SERVICES_REGISTRY_READ_WRITE | Access to service registry to read and write entries |
SAP_PI_B2B_TPM_ADMIN SAP_PI_B2B_NRO_ADMIN | Allows end user to maintain Trading Partner Profiles in B2B IC Allows user to maintain Number Ranges |
XiDir_**_Dir_Profile XiRep_***_Rep_Profile | Roles to control access to objects in the Repository and Directory. Not used in development but restrict access to existing ID objects only for all other systems to allow post transport configurations only. |
ADMINISTRATOR | |
SAP_SLD_ADMINISTRATOR | Full access to the SLD |
SAP_XI_DEVELOPER_J2EE SAP_XI_CONFIGURATOR_J2EE SAP_XI_CONTENT_ORGANIZER_J2EE SAP_XI_ADMINISTRATOR_J2EE | Developer Roles |
SAP_XI_APPL_SERV_USER | Service User Role. Added as the Service User Role. Added as one of our third party adapters uses this role and it is useful for testing. |
SAP_XI_API_DEVELOP_J2EE | Allows the consumption of the PO API’s. |
SAP_JAVA_WSNAVIGATOR | Allows access to the SAP Web Services Navigator to test developments. |
SERVICES_REGISTRY_TECHNICAL_ADMINISTRATOR | Full access to the service registry |
SAP_PI_B2B_SUPERADMIN_J2EE SAP_PI_B2B_TPM_ADMIN | Access to all B2B functions |
NWA_SUPERADMIN | Access to NWA for administration purposes |
XiDir_**_Dir_Profile XiRep_***_Rep_Profile | Roles to control access to objects in the Repository and Directory. Not used in development but restrict access to existing ID objects only for all other systems to allow post transport configurations only. |
SUPPORT ACCOUNT | |
SAP_XI_DISPLAY_USER_J2EE | Access Java stack, display purposes only. |
SAP_XI_MONITOR_J2EE | View messages in the Message Monitor. |
SERVICE ACCOUNT | |
SAP_XI_APPL_SERV_USER | Service User Role. |
Reference Material
User Management and Authorization Concepts (AEX)
Role-Based Authorizations in ES Repository and Integration Director
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
8 | |
5 | |
5 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 |