on 06-10-2011 7:37 PM
Hi,
I am having issues with security on my MII systems. I am wondering how many levels of security there are on MII projects. I know that there is the user level security. I have Admin, Developer, and User roles on the system via ABAP/UME. I have checked the actions of each of the roles have the following assigned: XMII_Full_Access, XMII_Developer, XMII_User, and XMII_Read_Only.
I know that there is transactional security. But what levels does the transactional security apply to? Does transactional security apply to project level, a specific folder level, or just individual transactions?
I have heard about template security, but have not found out how to change/modify this. Help here would be appreciated.
Are there any other security levels that I haven't mentioned above?
The reason that I am asking these questions is that I am seeing the error '<user> is not assigned to a role that can perform this action' much too often. As I mentioned above I should have full access on MII though my admin role. I also guess some of my problems have to do with the fact that we aren't assigning the default roles to our users, but instead get permissions through abap roles and ume. Therefore is there a way to change the default roles that are assigned to transactional security so it doesn't have to be changed every time?
Having Admin (full access) abilities on MII, is there a way to change transactional security on objects that I can't open? (I'm guessing my roles aren't in the read/write transactional security for the object)
I am currently working on a system that uses MII 12.1.8.28.
I have tried searching through the SDN for this information, but haven't found anything that answers my questions. Any help would be greatly appreciated. I'm new to MII so sorry if this was a simple question. Just trying to get a better understanding of how security is handled.
Justin
The read only role may be causing you problems when in conjunction with the standard roles. I believe it's mentioned in one of the guides on service marketplace (Security or install - not sure), but wIthout at least the XMII User role you really don't have the blanket level of security to do much of anything.
Query Template, Display Template, and Transaction based Reader and Writer Roles are all configured within the individual objects themselves in the workbench. Look for the security option tab or category (lower left) or in the top menu options.
Data servers also have Role based security, but the permission errors you receive if a user does not have access to use a connection like Northwind are quite intuitive.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jeremy,
Thanks for the reply.
I tried removing my read_only role and actions. However I am still receiving the "<user> is not assigned a role that can perform this action" message. Do you have any other suggestions on how to fix this?
Since I have the "XMII_Full_Access" permissions I feel that I should be able be able to open up a template or transaction and change the template or transactional security. But this appears to not be the case for template security.
Help/suggestions would be appreciated.
Thanks,
Justin
Hi,
I get this message when I double click on a template, in the navigation pane, to try and open it.
I do not have the SAP_XMII_Super_Administrator role. But when I look at the SAP_XMII_Super_Administrator role its action is XMII_Full_Access. I do have the XMII_Full_Access action. (via custom roles) Two actions I found that I don't have are "XMII_Administrator" and "XMII_Workbench_all". Are either of these roles more powerful than "XMII_Full_Access"?
Thanks.
Justin
What do you have for the problemmatic user http://server:port/XMII/PropertyAccessServlet?Mode=List (see IllumLoginRoles)
The default Reader Roles for transactions and templates are XMII_XXXX Role based - actions would be secondary and more specific permisison or restriction based. If you do a new template in the workbench you will see the built in roles that are pre-established for templates.
Have you seen the top of page 15 in the installation guide? http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000717691&_SCENARIO=01100035870000000202&_O...
Thank you for the link to the guide. It says "You must assign all users to the SAP_XMII_User role." This can be done, but what I don't understand is why specific roles have been hardcoded into MII. Is there a plan to remove this hardcoding and instead utilize actions? Or at least provide users the ability to define default roles.
I currently have all users assigned to the XMII_users action. I am guessing according to this document that the action isn't sufficient.
Edited by: Justin M Brown on Jun 23, 2011 8:50 PM
Actions are suitable for granular control of features and specific user 'actions', but were first introduced along with NW's UME in 12.1. Prior to this the MII related Services were secured by Role(s), just like you can still see with Data Server permissions.
Everything was Role based, which is also why the templates and the customer base would have evidenced in their applications. Actions were introduced to provide you R/W/D granularity, where previously you were either a Developer/Admin or basic User and if you wanted to provide access to the WB or one of the Admin menu screens it was full access.
The mandate for assignement to the base Users role will give you the blanket level of capability needed to exist in the MII world, but if you want to further restrict actions you still have the option.
User | Count |
---|---|
11 | |
6 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.