Show TOC

Role-Based Authorizations in ES Repository and Integration DirectoryLocate this document in the navigation structure

Use

In both the Enterprise Services Repository and the Integration Directory you can define more detailed authorizations that restrict access to design and configuration objects according to the role-based authorization model.

The access authorizations themselves can be defined at the object-type level only (possibly restricted by a selection path). There you can specify each access action either individually as Create , Modify , or Delete for each object type, or as an overall access granting all three access actions.

Tool

Selection Path

Object Types

Repository

Start of the navigation path Software component version Next navigation step  Namespace End of the navigation path

All repository objects within a software component but excluding software component version itself

Directory

Start of the navigation path Partner Next navigation step Communication Component End of the navigation path

*partner

*communication component

*sender channel

*receiver channel

Without selection path

*configuration scenario

*receiver determination

*interface determination

*sender agreement

*receiver agreement

When you activate the authorization, it is propagated as a user role to the associated User Management Engine (UME) with prefix XIRep. for an Enterprise Services Repository authorization and with prefix XIDir. for an Integration Directory authorization.

If you want to assign a specific authorization to a user, copy an appropriate composite role to a new composite role in ABAP role administration. Then assign the user to this new composite role and attach the specific authorization to the resulting UME group that corresponds to the new ABAP role.

Recommendation

Assign roles according to the least privilege principle, that is, define and assign only those roles that are explicitly needed by the designer or configurator, and nothing else.

Defining Role-Based Authorizations

To activate the role-based authorization model, you must set exchange profile parameter com.sap.aii.ib.util.server.auth.activation to true .

More information: Creating Users with Data-Dependent Authorizations

In both tools, you define these authorizations by choosing Start of the navigation path Tools Next navigation step User Roles End of the navigation path from the menu bar. The authorization for this menu option is provided by role SAP_XI_ADMINISTRATOR_J2EE. Of course, this role is only to be granted to a restricted number of administrators.

More information: