cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restricting Manual Start/Stop of Communication Channels by Adapter Type

Former Member

on ‎02-08-2012 10:00 PM

0 Kudos

Hello All

First, let me preface by saying that I'm 8 months out of college/6 months into SAP Security, so if replies can focus a bit on the "why" as well as the "what," it'd be much appreciated

That being said, I've been tasked with determining whether or not it is possible to restrict the starting and stopping of communication channels by Adapter type (JMS, specifically).

I've determined that with the SAP_XI_MONITOR role, a user has the ability to start and stop these channels through RWB. What I can't figure out is whether there is an object in the SAP_XI_MONITOR_ABAP role that allows me to restrict this down to adapter type. I was focused on the object S_XMB_MONI, but wasn't able to get much further. That being said, it may have something to do with the custom role I set up for this purpose -- new composite containing all of SAP_XI_MONITOR, but replacing SAP_XI_MONITOR_ABAP with a custom version. I assumed that the java stack would authenticate back to my custom ABAP role. Perhap this is not the case.

Anyhow, I'm curious as to whether or not this can/can't be done. If not, why not? And if so, how could I go about doing it?

Thanks in advance!

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎02-15-2012 10:05 PM
0 Kudos

Thanks, all, for your input. I think we came to a concensus here. I'll be passing this info on to our PI cohorts.

Show replies
Show replies
MichalKrawczyk
Active Contributor
‎02-08-2012 10:14 PM
0 Kudos

Hi,

1. welcome to the forum

I don't think there is a way to do that with roles directly but...

the is always a nice workaround

you can control channels via http calls (for example from an abap program)

https://weblogs.sdn.sap.com/pub/wlg/24741

this way you can have multiple abap program which control just one adapter (in the channel selection - display only adapters of a specific type per one abap program) and add authorization to those specific abap programs

I know that this is not perfect but in case you won't find any way to do it java roles you can always use this workaround

Regards,

Michal Krawczyk

Show replies
Show replies
Former Member
‎02-09-2012 9:59 PM
0 Kudos

Thanks, Michal! I've forwarded this on to our AIS team for further investigation.

Has anybody else had experience with this or other methods?

Unfortunately, our PI Basis guru left the project recently, but he had mentioned that he's heard of people restricting the starting/stopping of communication channels by adapter type. Has anybody else heard of this?

Former Member
‎02-09-2012 10:00 PM
0 Kudos

^^ I should mention, again, that we're exploring the options of manipulating the authorizations on the ABAP side.

Former Member
‎02-15-2012 6:48 PM
0 Kudos

Anybody else have thoughts?

I'm gathering from the lack of responses that controling this through standard ABAP authroizations may not be feasible (or if it is, would be quite difficult). Is this the case?

Thanks!

former_member181962
Active Contributor
‎02-15-2012 9:59 PM
0 Kudos

HI Andrew Evans,

Yes . There is no standard way you can control the communication channels via an ABAP role.

Even the normal external control of channels is based on JAVA roles xi_af_channel_admin_modify and xi_af_channel_admin_display only.

Another alternative is to prepare an Excel based solution as described [here|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c0487ced-f537-2d10-249d-f6c7323c272e?QuickLink=index&overridelayout=true] and then grant access to this Excel to a select few individuals or groups.

Best Regards,

Ravi

Ask a Question