When working with the SAP CPI (Cloud Platform Integration) you automatically come in touch with some of the standard roles in SAP CPI. Latest when you configure an IFlow with a SOAP sender you have seen the ESBMessaging.send-role which is preset as needed user role to send data to the interface.

But what if you want to use another role? What if you want to group your interfaces, so that the HR team for example can only send to their interfaces? For this case, you can create custom roles in SAP CPI which not only can be used in the sender channels but also for additional authorization checks, when combined with the Authorization Management API.

How to create custom SAP CPI roles

To create custom roles, you have to open the CPI specific roles management section in the SAP Cloud Platform. There login to http://cloudplatform.sap.com and click through the following path:

Regions --> [Your region] --> [Your global account] --> [Your CPI subaccount] --> Applications/Subscriptions --> [Your tenant]iflmap-application --> Roles



From this screen you can create custom roles via the New Role-button. You can also assign the newly created roles to users or groups from this screen.

How to assign custom SAP CPI roles

As you have seen, you can assign roles directly from the Roles management view as described above. But there is a second place, where you can assign your custom roles to users. Therefore open the Authorizations-view via http://cloudplatform.sap.com:

Regions --> [Your region] --> [Your global account] --> [Your CPI subaccount] --> Security/Authorizations



From this screen you can use your own roles. Choose "avrhcin" as subaccount and "[xxxx]iflmap" as application to be able to choose your own roles in the Assign roles to user-view.

Summary

It is really that easy. You only have to know how to get to the management view, which is a bit hidden. But if you manage to get there you can create your own roles within minutes.