Dialog Users
Dialog Users
Dialog users represent human users (as opposed to service users), who log on through the various UIs of the Integration Builder, System Landscape Directory, and Runtime Workbench. Dialog users are generally maintained in SAP NetWeaver usage type Application Server ABAP. A session-based single sign-on is supported.
The roles for the different dialog users displayed in the following table are predefined and shipped. Each role includes at least display authorizations for all PI components.
Dialog User Roles in a PI Landscape
Dialog User Role |
Description |
SAP_XI_DISPLAY_USER |
Read-only access to Integration Directory and Integration Repository |
SAP_XI_SUPPORT |
Read-only access to Integration Directory and Integration Repository, and to specific administration pages (see below) of the Integration Server’s J2EE engine. This role is required for SAP support using Solution Manager Diagnostics (SMD). |
SAP_XI_DEVELOPER |
Design and development of integration processes |
SAP_XI_CONFIGURATOR |
Configuration of business integration content |
SAP_XI_CONTENT_ORGANIZER |
Maintenance of System Landscape Directory content |
SAP_XI_MONITOR |
Monitoring of PI components and messages |
SAP_XI_MONITOR_ENHANCED |
Monitoring of PI components and messages, as well as message editing |
SAP_XI_ADMINISTRATOR |
Technical configuration and administration of PI |
To see further details on these roles, call the Role Maintenance transaction (PFCG).
Each role is a composite role consisting of an ABAP role (with suffix _ABAP) that is only relevant when the dialog user executes an ABAP application, and a J2EE role (with suffix _J2EE) relevant for J2EE applications such as the Integration Repository or the Integration Directory. The roles are propagated to user groups of the user management engine (UME), which are then assigned to security roles for Java applications by using the Security Provider service of the Visual Administrator.
For information on how to enable more detailed authorization concepts for the Integration Repository, the Integration Directory, or in message monitoring see Further Security Tasks and Topics.
All these roles are security-relevant and should be given to dialog users only in a restricted form.
Administration Pages with Read-Access Relevant to Role SAP_XI_SUPPORT
Name in SMD |
URL on J2EE Engine |
Exchange Profile |
http://<host:port>/exchangeProfile |
Admin |
http://<host:port>/rep/support/admin/index.html |
Aii-Properties |
http://<host:port>/rep/support/public/ViewProperties.jsp |
Lock Overview |
http://<host:port>/rep/support/public/LockAdminService |
Cache Overview |
http://<host:port>/rep/support/public/ViewCaches |
Java Web Start Admin |
http://<host:port>/rep/support/admin/status.html |
General |
http://<host:port>/rep/support/info.jsp |
The Partner Connectivity Kit (PCK) offers different security roles that are deployed during the installation of the PCK together with the corresponding J2EE components and that are assigned to the user PCKUSER created during installation. The following table summarizes the security roles in the PCK.
Security Roles in the PCK
Security Role |
Description |
Administer |
J2EE component sap.com/com.sap.xi.pck*aii_ib_sbeans.jar With this role you can access the configuration interface. |
Display |
J2EE component sap.com/com.sap.xi.mdt*mdt With this role you can view messages in the message monitor. |
Modify |
J2EE component sap.com/com.sap.xi.mdt*mdt With this role you can modify messages in the message monitor. |
Payload |
J2EE component sap.com/com.sap.xi.mdt*mdt With this role you can view message payloads in the message monitor. |
xi_af_adapter_monitor |
J2EE component sap.com/com.sap.aii.af.app*AdapterFramework With this role you can view the state of individual adapters. |
Support |
J2EE component sap.com/com.sap.xi.pck*pck With this role you can access the PCK Administration from the PCK start page for maintaining PCK configuration parameters. |
If several users are to work with the PCK, create different users for them and assign each user to the specific role required.