SAP:XI:RWB and Payload restriction

former_member1351727 · ‎12-15-2008

Hi All,

One of the requirement we have is that the user should not see the payload details in the lower window (W2) and should access few functions(monitors ) from the RWB.

As of now we are using SAP_XI_DISPLAY_USER composite role with user is able to see the payload as well as all the components of the RWB.

So now the requirement is to block this user to view Payload details in the window 2 and block some monitors in the RWB.

We initially copied the Single role of the above composite role to z_role and assigned that to a coposite role ZZ_SAP_XI_DISPLAY_USER .This role is assigned to the user.

Now my understanding is that as we did not chnage anything in the copied single roles user should be able to the all the functionality as he was doing before.But this is not the case .He is not able to open the RWb getting 403 Forbidden error.

So after copying the user defined role is there anything else we need to do for XI roles?

Our aim is once this works we will start controlling the objects s_xmb_moni (RWB),s_xmb_dsp(Payload) and wanted to get the required authorizations.

However it got struck in the first step...

Any help in this regard will be greatly appreciated!!!

Thanks in advance.

Former Member · ‎12-15-2008

Hi Vani,

If you are not on PI 7.1, then you have to make sure that your new role is mapped in Visual Admin properly.

If you would look at the SAP_XI_DISPLAY_USER, it has only S_RFC authorization, and all the components access (actions) reside in Visual Admin, where the SAP roles appear as Groups (just like UME).

For XI, sap.com/com.sap.xi* are the components you have to look for in Visual Admin

Cheers !!

Zaheer

former_member1351727 · ‎12-16-2008

HI Zaheer,

We are on WAS 640.

As I understand in XI it is general that we will have a composite role which internally will have one ABAp role and one Java Role.

As both are required for the tools etc to work.

So in my SAP_XI_DISPLAY_USER I have

SAP_XI_DISPLAY_USER_ABAP ( which has many auth objects) and SAP_XI_DISPLAY_USER_J2EE (which has only S_rfc).

And also what i read from SAP Help is that this message controlling or monitoring is done from both the ABAP and JAVA side.

And the payload etc is controlled by S_XMB_MONI object.

I will chnage the ABAP role but how about the JAVA role (SAP_XI_DISPLAY_USER_J2EE) as this has only S_RFC.

As you mensioned I should chnage it in the Visual admin(VA) .

As of now i do not have Visual admin Access so I have requested for the same.

Once I get that I will see what needs to be done.

So in the VA I have to go to the UME or any other service to manage these groups.

Roles of ABAP are treated as Groups in J2ee side?

Correct me if my understanding is wrong.

So there is a link between Role and group...I am really new to XI security (j2EE)..For the custom role what I am going to create I need to do this linkage.Is it right?

Thanks for all the help.

Former Member · ‎12-16-2008

SXMB_MONI restrictions are for Message monitoring in ABAP Side of the Adapter Engine. The Java side is controlled by Visual Administrator ( which will not be the case with PI 7.1.. finally !!).

Login to VA, go to the Server process, In the services, go to Security Provider.

Look out for Component : sap.com/com.sap.xi.mdt*mdt

There you would have payload as an action, check out which groups ( ABAP roles) are mapped to it.

The recommendation ( for me) is to create your own Z role and have it mapped as you wish rather that touching the SAP delivered roles.

Cheers !!

Zaheer

former_member1351727 · ‎02-18-2009

Thanks Zaheer,

We used modified ABAP role and standard J2ee role in one composite role Then we were able to restrict the Payload details in RWB and also in SXMB_MONI.

Hence I close the thread.

Thanks .