Show TOC

Background documentationACL-Based Authorizations in ES Repository and Integration Directory Locate this document in the navigation structure

 

In both the Enterprise Services Repository and the Integration Directory, you can define more detailed authorizations that restrict access to design and configuration objects according to the ACL-based autorization model.

As objects in both the ES Repository and the Integration Directory are grouped according to specific hierarchies, permissions from a higher hierarchy level are inherited to lower levels.

Example Example

In the ES Repository, permissions defined for a software component version are by default inherited to all objects of that software component version.

End of the example.

You can define authorizations for the following entities in ES Repository and Integration Directory:

  • In the ES Repository, you can define authorizations for all objects belonging to a software component version and for objects belonging to a namespace.

  • In the Integration Directory, you can define authorizations for folders and for objects belonging to a folder.

You can define permissions to a user, a group, or a role.

Defining permission means allowing specific actions for the specified user, group, or role.

Permissions in the ES Repository

In the ES Repository, you can assign permissions to users for performing both basic and advanced actions.

Basic actions include: write, execute reports, and edit authorizations.

Advanced actions include:

  • Publish service interfaces

  • Update underlying software component versions

  • Modify classifications

  • Create non-local software component versions

  • Take over change list

  • Generate Java proxy

  • Patch support packages

  • Export

  • Import

  • Transfer

  • Define support packages

Permissions in the Integration Directory

In the Integration Directory, you can assign permissions to users for performing both basic and advanced actions.

Basic actions include: write and edit authorizations.

Advanced actions include:

  • Create object

  • Edit object

  • Delete object

  • Export object

  • Import object

  • Edit folder

  • Delete folder

Interaction with User Management

ACLs defined in the ES Repository and Integration Directory are based on security roles or user groups maintained in an underlying user management or “user management source”.

  • During dual-stack installation of SAP NetWeaver PI, AS ABAP is determined as the user management source. However, you can decide to use another data source for user management after installation.

    More information: UME Data Sources

  • If you have installed an AEX, you can only use the database of AS Java as the user management source. Once the installation has finished, you cannot change the user management configuration.

The activities a user or group of users is allowed to perform on objects of the ES Repository or the Integration Directory depends initially on the assigned authorization as specified within the underlying user management. By defining ACLs in the ES Repository and Integration Directory, these basic authorizations can be further restricted and refined. This principle determines how ACLs interact with the underlying user management.

Note Note

Note that if your user is only assigned display authorizations in the underlying user management, you can only display ES Repository objects, even if your user is assigned change permissions in the corresponding ACL.

End of the note.

Note Note

To import or export ES Repository and Integration Directory content, you need at least one of the following roles: SAP_XI_ADMINISTRATOR_J2EE, SAP_XI_CONTENT_ORGANIZER_J2EE, SAP_XI_CMS_SERV_USER.

End of the note.
Defining ACL-Based Authorizations

To activate the ACL-based authorization model, you must configure the relevant property. The procedure depends on the chosen installation option.

  • In case you use the dual-stack SAP NetWeaver PI installation: Set the Exchange Profile property com.sap.aii.ib.server.acl.enable to true.

    More information: Creating Users with Data-Dependent Authorizations

  • In case you use AEX: Set the following Java system property of service XPI Service: AII Config Service to true: com.sap.aii.ib.server.acl.enable.

    Note Note

    You configure the Java system properties in SAP NetWeaver Administrator under   Configuration   Infrastructure   Java System Properties  .

    End of the note.

In ES Repository and Integration Directory you define these authorizations by positioning the cursor on the object for which you would like to define permissions. In the context menu, choose Edit Authorizations.

More information: