Show TOC

ACL-Based Authorizations for Service UsersLocate this document in the navigation structure

Use

Runtime access of messages regarding SAP NetWeaver PI runtime engines can be granted based on a simple authorization check.

More information: Service Users for Message Exchange

In addition to a simple authorization check, you can define that messages containing a specific (normalized) business system or business component as Sender, can only be executed by certain users. You can do this in the Integration Directory by selecting the Assigned Users tab page for the corresponding business system or business component and specifying the list of users permitted to execute messages. This list is also known as an Access Control List (ACL).

More information: Access Control Using Assigned Users

This security concept can also be used with sender agreements, for which you can define an ACL in the Integration Directory. At runtime, the sender agreement is determined and the ACL is checked whether it contains the current user. No checks are made, however, if the ACL is empty.

This enables you to grant authorization also on interface level, since sender agreements can be defined for specific interfaces.

Note

ACLs are only relevant for certain protocols or adapters. These are:

On the Integration Server:

  • XI protocol

  • WS protocol

  • Plain HTTP adapter

  • IDoc adapter

In the Advanced Adapter Engine:

  • XI protocol (not for local message processing)

  • RFC adapter

  • SOAP adapter

  • RNIF adapters (1.1 and 2.0) (not for local message processing)

  • CIDX adapter (not for local message processing)

  • Business Connector adapter

  • Marketplace adapter

In the PCK:

  • XI protocol

  • RFC adapter

  • SOAP adapter

  • Business Connector adapter

  • Marketplace adapter

Defining ACL-Based Authorizations for Service Users

To define that messages containing a specific business system or business component as sender can only be executed by certain users, do the following. In the Integration Directory, choose the Assigned Users tab page for the corresponding business system or business component and specify the list of users permitted to execute messages.

More information: Communication Component

If you want to refine the ACL-based authorization with regard to a specific sender interface, assign the authorized users to the sender agreement that contains the communication component and the interface in the object key.

More information: Defining Sender Agreements