Show TOC

ACL-Based Authorizations for Service UsersLocate this document in the navigation structure

Use

Runtime access of messages regarding SAP PI runtime engines can be granted based on a simple authorization check.

More information: Service Users for Message Exchange

In addition to a simple authorization check, you can define that messages containing a specific (normalized) business system or business component as Sender, can only be executed by certain users. You can do this in the Integration Directory by selecting the Assigned Users tab page for the corresponding business system or business component and specifying the list of users permitted to execute messages. This list is also known as an Access Control List (ACL).

More information: Access Control Using Assigned Users

This security concept can also be used with sender agreements (dual usage type PI) or integrated configurations (Advanced Adapter Engine Extended, shortly referred to as AEX ), for which you can define an ACL in the Integration Directory. At runtime, the sender agreement or integrated configuration is determined and the ACL is checked whether it contains the current user. No checks are made, however, if the ACL is empty.

This enables you to grant authorization also on interface level, since sender agreements or integrated configurations can be defined for specific interfaces.

Note

ACLs are only relevant for certain protocols or adapters. These are:

On the Integration Server (only dual usage type PI):

  • XI protocol

  • WS protocol

  • Plain HTTP adapter

  • IDoc adapter

In the Advanced Adapter Engine (dual usage type PI and AEX):

  • XI protocol (not for local message processing)

  • RFC adapter

  • SOAP adapter with Message Protocol XI 3.0.

  • HTTP adapter (Advanced Adapter Engine)

  • SOAP adapter

  • RNIF adapters (1.1 and 2.0) (not for local message processing)

  • CIDX adapter (not for local message processing)

  • Business Connector adapter

  • Marketplace adapter

  • IDoc Adapter (Advanced Adapter Engine)

Defining ACL-Based Authorizations for Service Users

To define that messages containing a specific business system or business component as sender can only be executed by certain users, do the following. In the Integration Directory, choose the Assigned Users tab page for the corresponding business system or business component and specify the list of users permitted to execute messages.

More information: Communication Component

If you want to refine the ACL-based authorization with regard to a specific sender interface, assign the authorized users to the sender agreement or integrated configuration that contains the communication component and the interface in the object key.

More information: