Show TOC Entering content frame

Procedure documentation Creating Users with Data-Dependent Authorizations Locate the document in its SAP Library structure

Use

You perform the steps described in the following sections to create special user roles with authorizations restricted to specific data.

Prerequisites

You must have created the corresponding authorizations beforehand (see Structure linkUser Roles for further information).

Creating Users and Roles (User Groups)

Perform the following steps to create users and roles in AS-ABAP.

This graphic is explained in the accompanying text

Since ABAP roles are mapped to J2EE user groups, the term role used in an ABAP context means user group in J2EE.

...

       1.      Use transaction SU01 to create a user, for example XI_TA_DEV.

       2.      Use transaction PFCG to create a role, for example XI_TST_AUTH_DEV.

For example, for a restricted developer role, copy SAP_XI_DEVELOPER completely to sample role XI_TST_AUTH_DEV, but disable the copying of contained *ABAP and *J2EE roles.

       3.      Delete all users from the role created in the previous step.

       4.      Use transaction PFCG to assign the user created in step 1 to the role created in step 2.

Assigning Roles to User Groups

Perform the following steps to assign ABAP roles to J2EE user groups in AS-Java.

...

       1.      Open the user management administration console from the J2EE Engine start page.

       2.      Choose the role maintenance function, select the new role, and choose Assign groups.

       3.      To obtain a list of groups, choose the plus icon (+).

       4.      Scroll to the user group (corresponding to the ABAP role) of interest and select it.

       5.      Confirm your selection.

       6.      Check and confirm the assignment on the following screen.

Assigning Unrestricted Roles to Predefined User Groups

You have to assign an unrestricted tool-specific role, for example XiRep_Unrestricted, to predefined user groups without data-dependent restrictions. For these users, only standard J2EE security applies. Otherwise, users of these groups do not have any permission once the additional data-dependent authorization checks are activated.

Perform the following steps to assign a predefined unrestricted role to standard user groups.

...

       1.      Open the Structure linkuser management administration console from the J2EE Engine start page.

       2.      Choose the role maintenance function, select the unrestricted role (for example XiRep_Unrestricted), and choose Assign groups.

       3.      To obtain a list of groups, choose the plus icon (+)

       4.      Select the relevant PI user groups (ABAP roles), omit SAP_XI_DEMOAPP, and confirm your selection.

Activating Data-Dependent Authorization Checks

Perform the following steps to activate the additional, data-dependent authorization checks.

...

       1.      To access the exchange profile from the Integration Builder start page, choose Administration ® Exchange Profile.

       2.      Go to IntegrationBuilder ® IntegrationBuilder.Repository and select the property com.sap.aii.util.server.auth.activation.

       3.      Set the property com.sap.aii.util.server.auth.activation. to true and Save your settings.

       4.      Choose All Properties to display and Refresh the properties of the Integration Builder.

       5.      Choose All Properties again and verify that the property com.sap.aii.util.server.auth.activation in the list of properties has the correct value.

 

Leaving content frame