05-24-2009 8:32 PM
Hi Experts,
I am having a problem copying a SAP delivered composite role for PI to a Z role. Below are the following steps that I have taken:
-Using PFCG, I copied the SAP_XI_DISPLAY_USER composite role (which contains SAP_SLD_GUEST, SAP_XI_DISPLAY_USER_ABAP, and SAP_XI_DISPLAY_USER_J2EE roles).
-I created Z role names for all four of the roles above and generated the profile for the three singles roles.
-I created two new users assigned user A to the orginal SAP delivered roles and user B to the Z roles. Both users should now have the same access, but here are the findings:
-Both users had access to T-Code SXMB_IFR.
-However, user A had display access to the Enterprise Service Repository, Integration Builder, Service Landscape Directory, and the Runtime Workbench. Whereas, user B had display access only to the Runtime Workbench. User B did not have the authorizations to access Enterprise Service Repository, Integration Builder, and Service Landscape Directory.
I have been unable to find a solution for this problem.
Also the long text and description for the ZSAP_SLD_GUEST role appears in German, whereas the text for all other roles in in English. I do not know if this information is beneficial. Please help!
05-24-2009 11:31 PM
did you give all the four roles to user A ? or only the three single roles to user A ?
and you created a Z-role for composite role too ? (as you said that you did it for all of the four roles)
if yes, then why didn't you generate the profile for the z-composite role too ?
then how many roles did you assign to the user B ? (all the four z-roles or only three z-roles ?)
05-25-2009 12:01 AM
Hi Bhudev,
-Both users are assigned four roles. When I added the composite role, the other three roles are automatically added.
-I created a Z-role for the composite role as well, but I did NOT generate a profile for the composite role because composite roles do not have profiles. I only generated profiles for the three single roles.
05-25-2009 6:33 AM
Hello T,
please check the (XI-)documentation, if copying those standard roles is applicable/recommended there.
Some applications also check for the role names, not only the authorizations. So you could test, if assigning the SAP-roles to B solves the issue....
Normally it should be documented, if the SAP roles shall be assigned directly or may be copied....
Did you search already the XI-forum regarding your issue?
b.rgds,
Bernhard
05-25-2009 8:19 AM
> SAP_XI_DISPLAY_USER --> SAP_XI_DISPLAY_USER_J2EE
I place my bets on the ABAP system as the Java UME store and this above role (and the composite) is needed on the JAVA side, even although the authorizations are okay.
Ideally this (both authorization and role name dependency) should not happen in my opinion, particularly as SAP is recommending seperate installations (SIDs) for Java and ABAP systems.
Cheers,
Julius
05-26-2009 12:09 AM
Julius you are correct.
I have found out that the SAP PI standard simple roles cannot be copied. Another user was having problems with the SAP_XI_DISPLAY_USER composite role.
What happens is when copying roles, it works fine on the ABAP part, but on the JAVA side the user isn't authorized to view the requested resource.
Thanks all!
05-26-2009 3:59 AM
Hi "T".
In XI, most of the security services are controlled through Visual Administrator, if you have access to Visual Admin then you can look up under the security services for the mapping of SAP_XI_DISPLAY_USER to various component services, even logging into RTW/DTR requires the mapping in visual admin.
So, if you are creating a Z role for the standard SAP XI role, then you will have to do the mapping for the Z role in Visual Admin also, then only the Java side will work.
PS: I did this in our implementation for various purposes, like restricting the Payload view access in production.
Cheers !!
Zaheer
05-27-2009 6:06 PM