cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Customized role SAP_XI_MONITOR_J2EE

Go to solution
Former Member

on ‎04-12-2010 8:11 AM

0 Kudos

Hi expert,

Im creating a new customized role copied from SAP_XI_MONITOR_J2EE and assigning to testuser. When I assign this role to the user I got error 403 Forbidden when I enter into RWB. But if I assign user to standard role SAP_XI_MONITOR_J2EE he can access RWB without any error. Im creating this new customized role just for monitoring RWB- message monitoring.

Anyone knows the reason why SAP_XI_MONITOR_J2EE allows to access RWB but not ZSAP_XI_MONITOR_J2EE which I copied all from the standard role?

Thanks for your help.

Thanks.

Regards,

Thava

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

marksmyth
Product and Topic Expert
Product and Topic Expert
‎04-13-2010 3:17 PM
0 Kudos

Hello Thava

Please check the XI Configuration Guide which is available from

http://service.sap.com/nw04installation

-> SAP XI

Check section "14 User Management and User Roles".

Regars

Mark

Show replies
Show replies

Answers (4)

Answers (4)

Former Member
‎10-05-2010 6:52 AM
0 Kudos

PI 7.0, customised roles need to be added in Visusal Admin> Security Provider.

Show replies
Show replies
Former Member
‎04-14-2010 8:21 AM
0 Kudos

Hello Flok,

as per the Prateek said same roles will use

SAP_XI_RWB_SERV_USER

SAP_XI_RWB_SERV_USER_MAIN.

Regards,

Ravi.

Show replies
Show replies
Former Member
‎04-14-2010 8:13 AM
0 Kudos

Hi,

You need to understand the authorization concept in ABAP and Java. In PI, your ABAP system is the master authorization engine, and Java UME is notified and updated when you make a change on the ABAP side. But vice versa is not true.

Also, there are different authorization objects: ABAP roles, Java user groups, and Java roles. ABAP roles are only for ABAP stack, where Java user groups and roles control the Java stack.

PI standard ABAP roles starting with SAP_XI.. are mapped to user groups in Java UME, which in turn are mapped to Java roles in UME. This means, when you assign the role SAP_XI_MONITOR lets say in SU01 to a user, Java UME gets notified by ABAP, and it will assign the same named Java user group to this user in the Java stack. If this user group has a Java role in it, the user will also get Java stack authorizations, if it doesn't, he won't have any authorization in Java stack.

So when you create a new ABAP role, a new Java user group gets created in Java UME, but since there are no Java roles assigned to it in the Java UME, your new user will not be able to access any Java part of PI. In this case, you have to find your user group created in Java UME and assign the Java roles to it you want.

You can access the Java UME (user management engine) from your main java start page - http://host:port

Let me know if anything is not clear or you need more help.

Regards,

Gökhan

Show replies
Show replies
Former Member
‎04-20-2010 8:51 AM
0 Kudos

hi Gokhan,

So is there any way for me to create a customised orle copied from sap_xi_monitor_j2ee to zsap_xi_monitor_j2ee1. The purpose for this role is just to access RWB. And if possible I want to limit just for message monitoring. I tried as you said but looks like im not successful. Could you please guide me step by step?

Thanks.

Regards,

Thava

Former Member
‎04-20-2010 9:38 AM
0 Kudos

Hi,

Once you copy XI_MONITOR to ZXI_MONITOR in PFCG, you will have the roles in ABAP. Now, you need to assign the roles in Java. Copying a role in ABAP does not automatically copy the Java authorizations associated with that ABAP role on the Java stack, which is where RWB runs.

For that, go to htp://hostname:port, click on Identity Management (IDM).

As I had specified, ZXI_MONITOR will be appearing as a "Java User Group". BUT, this group currently has no JAVA roles, so you need to assign them.

So once you are in IDM, find this user group, click modify, go to roles tab, and add any Java role you want, such as SAP_XI_MONITOR_J2EE (check what Java roles XI_MONITOR have originally).

To nail down further, every Java role is made up of actions. You can create a new Java role from scratch, and assign actions to it. But, actions are predefined(I mean, defined at development time, in the code), so you cannot play around with their authorizations. There are further concepts on this but I won't go that deep.

This is the most detail I can provide, hope you can take it on and learn the rest yourself by a little bit of research if you need and playing around with the tools.

Regards,

Gökhan

Former Member
‎07-29-2010 10:28 AM
0 Kudos

Hi Gokhan,

Sorry to reply to this forum late. Only now I have the time to look into this. Actually I checked in Java the standard group SAP_XI_MONITOR_J2EEdoes not have any roles assigned to it.

The SAP_XI_MONITOR has assigned parent group as below:

SAP_XI_MONITOR_J2EE

SAP_XI_MONITOR_ABAP

SAP_XI_DEMOAPP

SAP_XI_BPE_MONITOR_ABAP

SAP_SLD_GUEST

But there is no roles assigned to it.

The customised role ZSAP_XI_MONITOR_J2EE is copied from SAP_XI_MONITOR_J2EE. I have checked in Java the group SAP_XI_MONITOR_J2EE also dont have any roles assigned to it too. So, im not sure what else to do here.

Thanks.

Regards,

Thava

Former Member
‎10-29-2010 11:09 PM
0 Kudos

Hi Gokhan,

We are facing the same problem. We need to create a new custom Java role from scratch, and assign actions to it.

But as you know actions are predefined, and do not know how to play around with their authorizations.

Could you please send further information / concepts on this So that I can create a Z* custom role in PI UME and assign to User and map the same with Z* custom Group (SAP Backend / ABAP).

Regards,

Keyur

prateek
Active Contributor
‎04-14-2010 7:10 AM
0 Kudos

Roles required for RWB are SAP_XI_RWB_SERV_USER and SAP_XI_RWB_SERV_USER_MAIN.

Regards,

Prateek

Show replies
Show replies
Ask a Question