cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Integration Builder - Repository - Users - Roles

Former Member

on ‎03-22-2006 9:15 PM

0 Kudos

Is it possible to come up with ABAP role with the help of which he can login to Integration Repository but can not change any of the objects but for the one in a specific component.

I could make it work where the user is given SAP_XI_DEVELOPER role and I can restrict him to access some objects using another Role that I built in IR. I know about excluding him full edit access etc. This is like giving him full access with modify permissions with SAP_XI_Developer and excluding him permission on some of the objects.

I tried to give a test user SAP_XI_DIPLAY_USER and then giving him include-fulledit on a specific Software component. But this did not work.

If anybody worked on this please let me know.

Regards

Mike

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

udo_martens
Active Contributor
‎03-23-2006 12:49 PM
0 Kudos

Hi Michal,

give the developer SU01 role SAP_XI_DEVELOPER_J2EE, activate profile parameter 

 com.sap.aii.util.server.auth.activation = true

and create a new role in IB repository, where u use operator inclusive for a SWKV, namespace and objects wilcard (*), actions: everything. Result: The developer can work only with one SWKV in IB repository.

Regards,

Udo

Show replies
Show replies
Former Member
‎03-23-2006 1:37 PM
0 Kudos

Thanks for your response. I did all that. It is working fine.

I defined a user X with role SAP_XI_DISPLAY_ROLE in ABAP. In IR I created a role XIMaintenance with Includes - Full Edit - for - SWCX. Assigned this Role to user X on the J2EE side.

But the user X is not able to change the objects in SWCX.

This is the problem

STALANKI
Active Contributor
‎03-23-2006 4:33 AM
0 Kudos

/people/michal.krawczyk2/blog/2005/05/25/xi-how-to-add-authorizations-to-repository-objects is going to be very helpful for u.

Show replies
Show replies
Former Member
‎03-23-2006 12:31 PM
0 Kudos

I have already read the weblog. That part works fine. You can give someone SAP_XI_Developer Role and that person gets access to all the objects in IR. Then can deny that person access to some objects.

I want this the other way around wherein we deny the person access to all the objects(SAP_XI_DISPLAY_USER) and then give him access to specific software component.

Regards

Mike

Former Member
‎03-23-2006 3:51 AM
0 Kudos

Hi Michael,

Yes it is possible, this is what i found on help.sap.com,

To make changes to authorizations on the ABAP side, proceed as follows for each dialog user role:

...

1. Call transaction PFCG.

2. Copy the single role SAP_XI_<role>_ABAP into the customer namespace (replace the prefix SAP).

3. Create a new composite role in the customer namespace (for example, *_XI_<role>).

4. Assign the new single role (suffix _ABAP) to the new composite role.

5. Assign the new SAP single role (suffix _J2EE) to the new composite role.

6. Make changes to the new single role (suffix _ABAP).

7. Generate an authorization profile for the new single role (suffix _ABAP).

Basically what is important is that the single roles with a J2EE suffix are still assigned to the current composite role. These J2EE single roles are known to the J2EE applications and are required for automatic authorization assignments during deployment.

I hope it helps,

Thanks,

Varun

Show replies
Show replies
Ask a Question