Runtime access of messages regarding SAP NetWeaver PI runtime engines can be granted based on a simple authorization check.
More information: Service Users for Message Exchange
In addition to a simple authorization check, you can define that messages containing a specific (normalized) business system or business component as Sender, can only be executed by certain users. You can do this in the Integration Directory by selecting the Assigned Users tab page for the corresponding business system or business component and specifying the list of users permitted to execute messages. This list is also known as an Access Control List (ACL).
More information: Access Control Using Assigned Users
This security concept can also be used with sender agreements, for which you can define an ACL in the Integration Directory. At runtime, the sender agreement is determined and the ACL is checked whether it contains the current user. No checks are made, however, if the ACL is empty.
This enables you to grant authorization also on interface level, since sender agreements can be defined for specific interfaces.
ACLs are only relevant for certain protocols or adapters. These are:
On the Integration Server:
XI protocol
WS protocol
Plain HTTP adapter
IDoc adapter
In the Advanced Adapter Engine:
XI protocol (not for local message processing)
RFC adapter
SOAP adapter
RNIF adapters (1.1 and 2.0) (not for local message processing)
CIDX adapter (not for local message processing)
Business Connector adapter
Marketplace adapter
In the PCK:
XI protocol
RFC adapter
SOAP adapter
Business Connector adapter
Marketplace adapter
Defining ACL-Based Authorizations for Service Users
To define that messages containing a specific business system or business component as sender can only be executed by certain users, do the following. In the Integration Directory, choose the Assigned Users tab page for the corresponding business system or business component and specify the list of users permitted to execute messages.
More information: Communication Component
If you want to refine the ACL-based authorization with regard to a specific sender interface, assign the authorized users to the sender agreement that contains the communication component and the interface in the object key.
More information: Defining Sender Agreements