using visual administrator for java authorizations

Former Member · ‎12-16-2009

Hi,

I am trying to create my own PI authorization roles ABAP + JAVA. I have created a role in the ABAP stack and now i am adding this role (in java known as a group) to the correct component. When i am in the visual administrator, i go to cluster --> server --> services --> security provider. Tab runtime --> tab security roles. The only thing i am unable to find is where to set the security for the following: when in the PI page (http://host:port/dir) selection in the top right there is a button "Administration". My version of PI is 7.0. Anyone have any idea? Seems very little docymentation is available for this. Seems SAP only wants you to use their default roles. Unfortunately, my customer does not allow me to use default SAP roles.

kind regards,

Bas

Former Member · ‎12-16-2009

Hi Bas,

Of course you can use custom roles But these are application roles. So you have to find your application (in the "Policy Configurations" tab in the Security Provider service), then select the "Security Roles" tab and finally add your role. Note that you probably need to add some groups or users to it (not mandatory). This role will be valid only for this specific application whose policy configuration you created it in.

Cheers,

Dimitar

Former Member · ‎12-18-2009

Dimitar,

I understand the way it works, unfortunately i cannot find the correct application for the "administration" button

regards,

Bas

Former Member · ‎12-19-2009

Refer to the SAP delivered XI Security Guide.

XI security is set up such as you can customize the ABAP roles(single and composite) but not the Java roles.

Lets take an example of SAP_XI_ADMINISTRATOR composite role which has below roles:

SAP_ALM_ADMINISTRATOR

SAP_ALM_CUSTOMIZER

SAP_SLD_ADMINISTRATOR

SAP_XI_ADMINISTRATOR_ABAP

SAP_XI_ADMINISTRATOR_J2EE

SAP_XI_BPE_ADMINISTRATOR_ABAP

SAP_XI_DEMOAPP

Now as per your client needs you can create a new composite role Z_XI_ADMINISTRATOR having below roles:

SAP_ALM_ADMINISTRATOR

SAP_ALM_CUSTOMIZER

SAP_SLD_ADMINISTRATOR

Z_XI_ADMINISTRATOR_ABAP

SAP_XI_ADMINISTRATOR_J2EE

Z_XI_BPE_ADMINISTRATOR_ABAP

SAP_XI_DEMOAPP

Note that all the Java roles(Non ABAP) are not changed above. This is how the security of XI is set up. These Java delivered roles are hard coded and they will be checked for access in IR/ID/RWB etc.

In your case I guess SAP_XI_ADMINISTRATOR_J2EE role has necessary access to "Administration" in XI page.. Hope this helps. And you can always refer to the SAP delivered XI security guide to convince them the usage of SAP delivered roles in XI.

Do let us know if it has resolved your issue. Happy debugging )

Former Member · ‎12-21-2009

Hi,

Java security is not hard-coded, it is as dimitar says, you just have to find the right component. So far i have 90% of the java security roles converted to my own Z-roles. Creating a composite Z-role and including the standard SAP roles is not an acceptable option.

regards,

Bas

Former Member · ‎12-21-2009

Hi Bas,

Unfortunately I am from the core security team and I have no idea what application is running this link. Obviously it's a part of some XI framework, but I don't know which one.

Hope you have some luck.

Dimitar

Former Member · ‎12-21-2009

Dimitar,

Thanks for your help, but i think i figured it out. I made a wrong assupmtion. Let me explain what i did:

- In the vis. admin --> security provider --> security roles, check all components which involve standard XI roles.

- make a spreadsheet x-axis= (vis admin)roles (e.g. administrator) y-axis= components (e.g. sap.com/com...)

- make a spreadsheet x-axis= (vis admin)roles y-axis= ABAP role (e.g. SAP_XI_ADMINSTRATOR_J2EE)

- correlate the two spreadsheets and you got what you need.

My mistake was to assume that adding my ABAP role to the administrator vis admin role would be the same as SAP_XI_ADMINISTRATOR_J2EE. I forgot to also add my abap Z-role to the configure, display, develop and so on of the several vis admin component roles. After correcting this, everything works as expected.

regards,

Bas