Show TOC

User Management and Authorization Concepts (Dual Usage Type)Locate this document in the navigation structure

Use

As SAP PI (dual usage type installation option) is based on both Application Server (AS) ABAP and AS Java, the solutions of the underlying AS for user management, administration, authorizations, and authentication are relevant. These solutions are described in the SAP NetWeaver Security Guide .

User

Different user types are relevant for SAP Process Integration.

More information: User Types

After installation, a set of standard user is available initially for each installation option.

More information: Standard User (Dual Usage Type)

Roles

In a dual usage type installation of SAP PI, users and roles are maintained in the user management of AS ABAP.

To make these “ABAP roles” also available for the Java- based tools of SAP PI, they are propagated to user groups of the Java-based User Management Engine (UME). UME is accessible either by SAP NetWeaver Administrator or by calling the page http://<host>:<port> Start of the navigation path User Management End of the navigation path directly.

“ABAP roles” are mapped 1:1 to corresponding UME groups.

UME user groups have the same names as the corresponding “ABAP roles” and also define the same permissions.

On the “Java side” , permissions are defined in the following way: Each UME user group is assigned exactly 1 UME role. A UME role is composed of a set of actions. These actions are the “atomic” sets of permissions assigned to basic applications.

More information:

Note

Note that in UME you cannot define composite roles as in AS ABAP.

The concept of user management for a dual usage type installation is shown in the following figure:

Caution

We recommend that you do not assign development authorizations in productive systems and not to use productive passwords in development and test systems. This recommendation applies to all user credentials, in particular, for those contained in the Exchange Profile for SAP PI.

Access Control Lists

For specific areas, you can define authorizations based on access control lists (ACLs).

Note

An access control list is a list of permissions that can be attached to an object or a set of objects.

More information: ACL-Based Authorizations

More Information

For information on the Advanced Adapter Engine Extended (AEX), see:

User Management for Advanced Adapter Engine Extended (PI-AEX)

For user management for a non-central Advanced Adapter Engine setup (dual usage type installation), see: User Management for Non-Central AAE (PI-AF)