cancel
Showing results for 
Search instead for 
Did you mean: 

Minimum role and authorization for invoking a PI hosted WebService

former_member182004
Contributor
0 Kudos

Hi all!

I have a question for you:

I have a SOAP -> PI -> RFC interface, that has to be used for a third party client.. so as they wanted to test it in their system I have to give them a user to do it..

Of course I'd like to create a user with the minimum permissions just to invoke that WS. So I started searching in here and I found these sites:

-

Even using just SAP_XI_ADMINISTRATOR_J2EE and SAP_XI_APPL_SERV_USER the problem is that that user can enter to the IR or ID and create/change whatever he wants..

-

After finding the Security Role xi_adapter_soap_message, I didn't find the group to assign the recently created user to.

I also searched in here: http://www.erpgenie.com/sap/netweaver/xi/xiauthorizations.htm

And I tried with SAP_XI_DISPLAY_USER and SAP_XI_MONITOR but they aren't enough to invoke the WS.

So, in summary I'd like (of course if possible) if there are a group, or one, roles.. to just invoke the WS but that these group don't allow to enter to modifying transactions in the ABAP stack, neither creating/changing objects in IR, ID, SLD, etc.

Thanks in advance.

Juan

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
0 Kudos

Hi Juan,

Did you get answer for your issue? . We are also in same situation to  know what minimum role required to just invoke web service.

Regards

Vasu

former_member182004
Contributor
0 Kudos

Hi Vasu, check these 2 threads they may help you:

http://scn.sap.com/message/6723135

http://scn.sap.com/message/1583239#1583239

regards,

  Juan.

Former Member
0 Kudos

We have a similar requirement..would like to know your final implementation/resolution. Please share the details.

Shabarish_Nair
Active Contributor
0 Kudos

create a communication user with the role as of the PIAPPLUSER

Former Member
0 Kudos

copy of PIAPPLUSER work fine, but the user can access the ES

Repository and change the objects!!

Shabarish_Nair
Active Contributor
0 Kudos

have the user as a communication user and not a dialog user.

If you do so the user will only have display access to ESR and cannot change anything

former_member182004
Contributor
0 Kudos

Hi again Folks!

Any ideas?

Regards,

VijayKonam
Active Contributor
0 Kudos

SAP_XI_APPL_SERV_USER - This is the only role need to be assigned to the Web Services consumer user. There is a default user created too PIAPPLUSER only for this purpose. You can copy this user profile to any one who you want to grant the access to.

VJ

former_member182004
Contributor
0 Kudos

Hi VJ,

Thanks for your response, this role works, I assigned it (only that) to the user that I wanted, but the problem is that he can also enter to Integ. Repository or Directory to create, change objects.. and that's what I don't want to.

Regards,

Former Member
0 Kudos

Hi,

I have the same problem, SAP_XI_APPL_SERV_USER work fine, but enable

authorization for ES Repository and Int. Directory.