on 11-30-2009 10:32 AM
Hi All,
We are using XI/PI for our integration requirements and we are facing a security related issue. We are using same box for Export Compliance and non Export Compliance integration scenarios and we have provided data level restriction by filtering EC namespaces in authorization roles.
However now there is another concern that anybody can change the ID objects in XI system and route the message to a diff server or directory location if it is a file based interface. So anybody has any idea how we can restrict change access to a specific ID objects?
Say for example I want restrict the change access to the communication channel u201CCC_TestInterfaceu201D. Our XI system version is 7.0 with SP level 17.
Please advice
Thank you
Vijaya
Hi Vijaya,
For this we have to create the Roles.
Actually this issue is related to the BASIS.
go to PFCG (T_code for creating the roles). After give some role name (select it is single role or multiple roles) then click on create.
In the menu tab add the T-codes (this t-codes can be accessed by this roles)
In the Authorization tab click on display authorization data then click on changes then click on activity then it asks the permitions now you can select the permitions (create/generate , change, display ,...)
We can select the required permitions.
We assigned this permition to a particulat t-code, so when we give this t-code to particular users then they can access only those permitions what we have already given.
For other info
http://help.sap.com/saphelp_nw04/helpdata/en/f4/67b340be3dff5fe10000000a155106/content.htm
Regards
Ramesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Following a similar methods as it is mentioned in this blog may help you: /people/michal.krawczyk2/blog/2005/05/25/xi-how-to-add-authorizations-to-repository-objects
ID --> Tools --> User Roles --> New
Also refer: http://help.sap.com/saphelp_nw04/helpdata/en/f4/67b340be3dff5fe10000000a155106/content.htm
Regards,
Abhishek.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for your responses. We are looking at restriction in the integration directory and it does not seem to work. I add include in the selection path and exclude in the object it permits for only that object and blocks all other objects. We are using services without party. Multiple selection in the party list also blocks the access. Are there any known bugs that exist? Any help will be highly appreciated
Thanks
Vijaya
Hi,
Go to PFCG transaction and give some role name and click on create.
After in the menu tab add the T-Codes what ever you want to give to this partucular role.
In the authorizations tab click on display authorization data then go to change mode -> activity then select the corresponding object in the maintained option and give the permitions like read, write, delete what ever you want.
And in the user tab give the user names (whoom do you want to give these roles).
Actually this is related to the BASIS issue, so you may not having the above t-code authorization. better to contact your basis team.
Regards
Ramesh
User | Count |
---|---|
85 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.