Restrict access to sensitive payloads on Adapter Engine in PI/PO
Like we have a sensitive interface and just want to limit access to its payload while can be able to access payload of other interfaces.
We have to activate UME authorization to do it, so once it’s activated users which aren’t assigned any role for message monitoring permission cannot perform any action on messages.
This is the list of provided SAP permission actions:
- display_all – Permission for displaying the header data of all messages.
- execute_all – Permission for restarting all messages.
- cancel_all – Permission for cancelling all messages.
- payload_all – Permission for displaying the payload of all messages.
- edit_header_all – Permission for editing the message header.
- edit_payload_all – Permission for editing the message payload
The list bellow shows the provided SAP roles and the actions which are assigned to them:
- Role: XiMdt.StandardViewer
- Role: XiMdt.StandardMonitor
Actions: display_all, execute_all, cancel_all
- Role: XiMdt.ExtendedMonitor
Actions: display_all, execute_all, cancel_all, payload_all
- Role: XiMdt.EditHeaderMonitor
Actions: display_all, execute_all, cancel_all, payload_all, edit_header_all
- Role: XiMdt.EditPayloadMonitor
Actions: display_all, execute_all, cancel_all, payload_all, edit_payload_all
- Role: XiMdt.EditMonitor
Actions: display_all, execute_all, cancel_all, payload_all, edit_header_all, edit_payload_all
We have 2 users:
Allow to view payload of all interfaces
Allow to view payload of all interfaces,
But it’s NOT allow for interface SI_AA_Greeting
Create a custom role and assign an action payload_all to it, or use one of standard role provided by SAP that has action payload_all such as XiMdt.ExtendedMonitor
Create a custom role that contents 2 actions:
An action to restrict access payload of interface SI_AA_Greeting
First, activate UME Authorization in NWA > Configuration > Infrastructure > Java System Properties – go to Service tab, and search for “XPI Service: AII Config Service”, then change property “com.sap.aii.rwb.server.auth.UME” to true
Second, open the file “sap.com~com.sap.xi.mdt.actions.ear” (remove extension .txt of the attachment to get an .ear file – the reason is cannot add attached file with .ear) with WinZip/Winrar, then continue opens the inside file “sap.com~com.sap.xi.mdt.actions.ump” with WinZip/Winrar, then update the content of “actions.xml” like this:
<?xml version=”1.0″ encoding=”UTF-8″?>
<BUSINESSSERVICE NAME=”sap.com_com.sap.xi.mdt.actions” >
<DESCRIPTION LOCALE=”en” VALUE=”Message Monitoring”/>
<!– Business Service Actions –>
<ACTION NAME=”payload_all” >
<DESCRIPTION LOCALE=”en” VALUE=”Permission for displaying the payload of all messages.”/>
<PERMISSION CLASS=”com.sap.aii.mdt.util.MonitoringPermissionExt” NAME=”interfaceName=*” VALUE=”payload”/>
<ACTION NAME=”deny_SI_AA_Greeting” >
<DESCRIPTION LOCALE=”en” VALUE=”Permission for editing the message header.”/>
<PERMISSION CLASS=”com.sap.aii.mdt.util.MonitoringPermissionExt” NAME=”interfaceName=SI_AA_Greeting” VALUE=”deny_payload”/>
<!– Business Service Default Roles –>
<ROLE NAME=”XiMdtCustom.SI_AA_Greeting” >
<DESCRIPTION LOCALE=”en” VALUE=”Deny SI_AA_Greeting”/>
<ASSIGNEDACTION NAME=”payload_all” />
<ASSIGNEDACTION NAME=”deny_SI_AA_Greeting” />
After saving the actions.xml file follow WinZip/Winrar to keep update the container files, so we will get “sap.com~com.sap.xi.mdt.actions.ear” file with our new custom role/actions.
Then deploy the ear file to server, use any tool to deploy it like NWDS.
Final step is assign a new custom role to User B, so we have 2 users with appropriate role:
– User A: standard role XiMdt.ExtendedMonitor
– User B: custom role XiMdtCustom.SI_AA_Greeting
Testing with User A – with Payload tab
Testing with User B – without Payload tab
Now it supports version of PO/PI 7.1 to 7.5, for more detail and keep to date refer to note 1370334.