on 02-08-2012 10:00 PM
Hello All
First, let me preface by saying that I'm 8 months out of college/6 months into SAP Security, so if replies can focus a bit on the "why" as well as the "what," it'd be much appreciated
That being said, I've been tasked with determining whether or not it is possible to restrict the starting and stopping of communication channels by Adapter type (JMS, specifically).
I've determined that with the SAP_XI_MONITOR role, a user has the ability to start and stop these channels through RWB. What I can't figure out is whether there is an object in the SAP_XI_MONITOR_ABAP role that allows me to restrict this down to adapter type. I was focused on the object S_XMB_MONI, but wasn't able to get much further. That being said, it may have something to do with the custom role I set up for this purpose -- new composite containing all of SAP_XI_MONITOR, but replacing SAP_XI_MONITOR_ABAP with a custom version. I assumed that the java stack would authenticate back to my custom ABAP role. Perhap this is not the case.
Anyhow, I'm curious as to whether or not this can/can't be done. If not, why not? And if so, how could I go about doing it?
Thanks in advance!
Thanks, all, for your input. I think we came to a concensus here. I'll be passing this info on to our PI cohorts.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
1. welcome to the forum
I don't think there is a way to do that with roles directly but...
the is always a nice workaround
you can control channels via http calls (for example from an abap program)
https://weblogs.sdn.sap.com/pub/wlg/24741
this way you can have multiple abap program which control just one adapter (in the channel selection - display only adapters of a specific type per one abap program) and add authorization to those specific abap programs
I know that this is not perfect but in case you won't find any way to do it java roles you can always use this workaround
Regards,
Michal Krawczyk
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks, Michal! I've forwarded this on to our AIS team for further investigation.
Has anybody else had experience with this or other methods?
Unfortunately, our PI Basis guru left the project recently, but he had mentioned that he's heard of people restricting the starting/stopping of communication channels by adapter type. Has anybody else heard of this?
HI Andrew Evans,
Yes . There is no standard way you can control the communication channels via an ABAP role.
Even the normal external control of channels is based on JAVA roles xi_af_channel_admin_modify and xi_af_channel_admin_display only.
Another alternative is to prepare an Excel based solution as described [here|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c0487ced-f537-2d10-249d-f6c7323c272e?QuickLink=index&overridelayout=true] and then grant access to this Excel to a select few individuals or groups.
Best Regards,
Ravi
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.