Show TOC

Procedure documentationCreating Users with Data-Dependent Authorizations Locate this document in the navigation structure

 

You perform the steps described in the following sections to create special user roles with authorizations restricted to specific data.

Prerequisites

You must have created the corresponding authorizations beforehand.

More information: Defining User Roles

Procedure

Creating Users and Roles (User Groups)

Perform the following steps to create users and roles in AS ABAP.

Note Note

Since ABAP roles are mapped to Java user groups, the term role used in an ABAP context means user group in a Java context.

End of the note.

  1. Use transaction SU01 to create a user, for example CUST_USER.

  2. Use transaction PFCG to create a composite role, for example CUST_USER_ROLE, by either creating a new role or copying an existing role.

    • If you create a new role, ensure that you assign XXX_ABAP and XXX_J2EE single roles to this role, with XXX = SAP_XI_DEVELOPER, SAP_XI_CONFIGURATOR, or SAP_XI_CONTENT_ORGANIZER, depending on whether your new role is a developer, configurator, or content organizer.

    • If you copy an existing role, for example, SAP_XI_DEVELOPER for a restricted developer role, or SAP_XI_CONFIGURATOR for a restricted configurator role, ensure that this role is completely copied to the new role, but disable the copying of contained *ABAP and *J2EE single roles.

    More information: Changing Dialog User Roles.

  3. Delete all users from the role created in the previous step.

  4. Use transaction PFCG to assign the user created in step 1 to the role created in step 2.

Assigning Roles to User Groups

Perform the following steps to assign ABAP roles to user groups in AS Java.

  1. Start your AS Java Identity Management.

  2. Choose Identity Management.

  3. Search for the new role and select it.

  4. Choose Assigned groups and then choose Modify.

  5. Search for the user group (corresponding to the ABAP role) of interest in the Available Groups frame.

  6. Select the group and choose Add.

  7. Check the assignment in the Assigned Groups frame.

  8. Choose Save All Changes.

More information: Assigning Principals to Roles or Groups.

Assigning Unrestricted Roles to Predefined User Groups

You must assign an unrestricted tool-specific role, for example XiRep_Unrestricted or XiDir_Unrestricted, to predefined user groups without data-dependent restrictions. For these users, only standard J2EE security applies. Otherwise, users of these groups do not have any permission once the additional data-dependent authorization checks are activated.

Perform the following steps to assign a predefined unrestricted role to standard user groups.

  1. Start your AS Java Identity Management.

  2. Choose Identity Management.

  3. Search for the unrestricted role (for example XiRep_Unrestricted or XiDir_Unrestricted), and select it.

  4. Choose Assigned Groups and then choose Modify.

  5. Search for the relevant PI user groups (omit SAP_XI_DEMOAPP).

    The relevant PI user groups are:

    • The ABAP dialog user roles listed and described in Dialog Users.

    • The roles of the PI service users listed and described in Service Users.

  6. Select each relevant user group and choose Add.

  7. Choose Save All Changes.

Activating Access Control for ES Repository and Integration Directory Content

Perform the following steps to activate the permissions (authorizations and user roles) defined in the ES Repository and Integration Directory.

  1. Access the exchange profile at http://<host>:<port>/dir,   Administration   Exchange Profile  .

  2. Go to   IntegrationBuilder   IntegrationBuilder.Repository   and select the following properties:

    • com.sap.aii.util.server.auth.activation: To define user roles

    • com.sap.aii.ib.server.acl.enable: To define authorizations

  3. Set these properties to true and Save your settings.

    Based on the value defined for authorizations and user roles, the system will perform the following actions:

    Value of com.sap.aii.ib.server.acl.enable (Authorizations)

    Value of com.sap.aii.util.server.auth.activation (User Roles)

    Action in ES Repository and Integration Directory

    False

    False

    Both, authorizations and user roles are disabled. All users have permissions to create, edit, and delete objects.

    False

    True

    User roles are enabled.

    True

    False

    Authorizations are enabled.

    However, if no authorizations are defined, users will not have permissions to create, edit, and delete objects. To perform any of these actions, you should define authorizations.

    True

    True

    Both, authorizations and user roles are enabled.

    If authorizations are defined, the system grants permissions based on the defined authorizations and not the user roles. However, if no authorizations are defined, the system checks for the user roles and grants permissions accordingly.

  4. Go to   IntegrationBuilder   IntegrationBuilder.Directory   and repeat steps 2 and 3.

  5. Choose AII Properties to display and Refresh the properties.

  6. Choose AII Properties again and verify that the above mentioned properties have the correct value.