Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Missing authorizations when copying SAP delivered role

Former Member

‎05-24-2009 8:32 PM

0 Kudos

Hi Experts,

I am having a problem copying a SAP delivered composite role for PI to a Z role. Below are the following steps that I have taken:

-Using PFCG, I copied the SAP_XI_DISPLAY_USER composite role (which contains SAP_SLD_GUEST, SAP_XI_DISPLAY_USER_ABAP, and SAP_XI_DISPLAY_USER_J2EE roles).

-I created Z role names for all four of the roles above and generated the profile for the three singles roles.

-I created two new users assigned user A to the orginal SAP delivered roles and user B to the Z roles. Both users should now have the same access, but here are the findings:

-Both users had access to T-Code SXMB_IFR.

-However, user A had display access to the Enterprise Service Repository, Integration Builder, Service Landscape Directory, and the Runtime Workbench. Whereas, user B had display access only to the Runtime Workbench. User B did not have the authorizations to access Enterprise Service Repository, Integration Builder, and Service Landscape Directory.

I have been unable to find a solution for this problem.

Also the long text and description for the ZSAP_SLD_GUEST role appears in German, whereas the text for all other roles in in English. I do not know if this information is beneficial. Please help!

7 REPLIES 7

Former Member

‎05-24-2009 11:31 PM

0 Kudos

did you give all the four roles to user A ? or only the three single roles to user A ?

and you created a Z-role for composite role too ? (as you said that you did it for all of the four roles)

if yes, then why didn't you generate the profile for the z-composite role too ?

then how many roles did you assign to the user B ? (all the four z-roles or only three z-roles ?)

Former Member

‎05-25-2009 12:01 AM

0 Kudos

Hi Bhudev,

-Both users are assigned four roles. When I added the composite role, the other three roles are automatically added.

-I created a Z-role for the composite role as well, but I did NOT generate a profile for the composite role because composite roles do not have profiles. I only generated profiles for the three single roles.

Bernhard_SAP
Employee
Employee
In response to Former Member

‎05-25-2009 6:33 AM

0 Kudos

Hello T,

please check the (XI-)documentation, if copying those standard roles is applicable/recommended there.

Some applications also check for the role names, not only the authorizations. So you could test, if assigning the SAP-roles to B solves the issue....

Normally it should be documented, if the SAP roles shall be assigned directly or may be copied....

Did you search already the XI-forum regarding your issue?

b.rgds,

Bernhard

Former Member

‎05-25-2009 8:19 AM

0 Kudos

> SAP_XI_DISPLAY_USER --> SAP_XI_DISPLAY_USER_J2EE

I place my bets on the ABAP system as the Java UME store and this above role (and the composite) is needed on the JAVA side, even although the authorizations are okay.

Ideally this (both authorization and role name dependency) should not happen in my opinion, particularly as SAP is recommending seperate installations (SIDs) for Java and ABAP systems.

Cheers,

Julius

Former Member

‎05-26-2009 12:09 AM

0 Kudos

Julius you are correct.

I have found out that the SAP PI standard simple roles cannot be copied. Another user was having problems with the SAP_XI_DISPLAY_USER composite role.

What happens is when copying roles, it works fine on the ABAP part, but on the JAVA side the user isn't authorized to view the requested resource.

Thanks all!

Former Member
In response to Former Member

‎05-26-2009 3:59 AM

0 Kudos

Hi "T".

In XI, most of the security services are controlled through Visual Administrator, if you have access to Visual Admin then you can look up under the security services for the mapping of SAP_XI_DISPLAY_USER to various component services, even logging into RTW/DTR requires the mapping in visual admin.

So, if you are creating a Z role for the standard SAP XI role, then you will have to do the mapping for the Z role in Visual Admin also, then only the Java side will work.

PS: I did this in our implementation for various purposes, like restricting the Payload view access in production.

Cheers !!

Zaheer

Former Member

‎05-27-2009 6:06 PM

0 Kudos

Thanks Zaheer,

I will give this a try!