Skip to Content

Like we have a sensitive interface and just want to limit access to its payload while can be able to access payload of other interfaces.

We have to activate UME authorization to do it, so once it’s activated users which aren’t assigned any role for message monitoring permission cannot perform any action on messages.

This is the list of provided SAP permission actions:

  • display_all – Permission for displaying the header data of all messages.
  • execute_all – Permission for restarting all messages.
  • cancel_all – Permission for cancelling all messages.
  • payload_all – Permission for displaying the payload of all messages.
  • edit_header_all – Permission for editing the message header.
  • edit_payload_all – Permission for editing the message payload

The list bellow shows the provided SAP roles and the actions which are assigned to them:

  • Role: XiMdt.StandardViewer

Actions:  display_all

  • Role: XiMdt.StandardMonitor

Actions: display_all, execute_all, cancel_all

  • Role: XiMdt.ExtendedMonitor

Actions: display_all, execute_all, cancel_all, payload_all

  • Role: XiMdt.EditHeaderMonitor

Actions: display_all, execute_all, cancel_all, payload_all, edit_header_all

  • Role: XiMdt.EditPayloadMonitor

Actions: display_all, execute_all, cancel_all, payload_all, edit_payload_all

  • Role: XiMdt.EditMonitor

Actions: display_all, execute_all, cancel_all, payload_all, edit_header_all, edit_payload_all

We have 2 users:

User A

User B

Requirement

Allow to view payload of all interfaces

Allow to view payload of all interfaces,

But it’s NOT allow for interface SI_AA_Greeting

Solution

Create a custom role and assign an action payload_all to it, or use one of standard role provided by SAP that has action payload_all such as XiMdt.ExtendedMonitor

Create a custom role that contents 2 actions:

payload_all

+

An action to restrict access payload of interface SI_AA_Greeting

First, activate UME Authorization in NWA > Configuration > Infrastructure > Java System Properties – go to Service tab, and search for “XPI Service: AII Config Service”, then change property “com.sap.aii.rwb.server.auth.UME” to true

Second, open the file “sap.com~com.sap.xi.mdt.actions.ear” (remove extension .txt of the attachment to get an .ear file – the reason is cannot add attached file with .ear) with WinZip/Winrar, then continue opens the inside file “sap.com~com.sap.xi.mdt.actions.ump” with WinZip/Winrar, then update the content of “actions.xml” like this:

<?xml version=”1.0″ encoding=”UTF-8″?>

<BUSINESSSERVICE NAME=”sap.com_com.sap.xi.mdt.actions” >

    <DESCRIPTION LOCALE=”en” VALUE=”Message Monitoring”/>

                <!– Business Service Actions –>

                <ACTION NAME=”payload_all” >

                    <DESCRIPTION LOCALE=”en” VALUE=”Permission for displaying the payload of all messages.”/>

                                <PERMISSION CLASS=”com.sap.aii.mdt.util.MonitoringPermissionExt” NAME=”interfaceName=*” VALUE=”payload”/>

                </ACTION>

                <ACTION NAME=”deny_SI_AA_Greeting” >

                    <DESCRIPTION LOCALE=”en” VALUE=”Permission for editing the message header.”/>

                                <PERMISSION CLASS=”com.sap.aii.mdt.util.MonitoringPermissionExt” NAME=”interfaceName=SI_AA_Greeting” VALUE=”deny_payload”/>

                </ACTION>

                <!– Business Service Default Roles –>

                <ROLE NAME=”XiMdtCustom.SI_AA_Greeting” >

                                <DESCRIPTION LOCALE=”en” VALUE=”Deny SI_AA_Greeting”/>

                                <ASSIGNEDACTION NAME=”payload_all” />

                                <ASSIGNEDACTION NAME=”deny_SI_AA_Greeting” />

                </ROLE>

</BUSINESSSERVICE>

After saving the actions.xml file follow WinZip/Winrar to keep update the container files, so we will get “sap.com~com.sap.xi.mdt.actions.ear” file with our new custom role/actions.

Then deploy the ear file to server, use any tool to deploy it like NWDS.

Final step is assign a new custom role to User B, so we have 2 users with appropriate role:

User A: standard role XiMdt.ExtendedMonitor

User B: custom role XiMdtCustom.SI_AA_Greeting


Testing with User A – with Payload tab

TestingWithUserA_hasAuthorization.JPG


Testing with User B – without Payload tab

TestingWithUserB_noAuthorization.JPG

Now it supports version of PO/PI 7.1 to 7.5, for more detail and keep to date refer to note 1370334.

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

Leave a Reply