on 06-05-2012 3:30 PM
Our company is in the midst of a PI user security redesign. We have, to this point, been assigning our support personnel to the SAP_* delivered roles. We are copying/renaming all abap roles, and copying the corresponding roles in the AS Java UME and assigning to the new user groups. We run a dual-stacked system, with all user to role assignments taking place in AS ABAP.
An issue we've encountered is that new Z* version of SAP_XI_ADMINISTRATOR_J2EE does not function properly. For example, our PI Dev team is not able to edit/create namespaces. Assigning the SAP_* role back to the user corrects the problem.
In AS ABAP, we've verified the RFC authorizations in the Z* encompass all authorizations in SAP_XI_ADMINISTRATOR_J2EE. In AS Java, I've exported and imported the role multiple times, only changing the role name. Actions are left identical. I've also dissociated and associated the Z* role to the Z* user group. This still fails to function.
Am I missing a piece of the puzzle here? What could be causing the SAP* version to work, but the Z* not to?
Thanks in advance!
One step further - I mapped the SAP_XI_ADMINISTRATOR_J2EE UME role to the Z* user group, and it worked. Copying SAP_XI_ADMINISTRATOR_J2EE UME role and assigning it to the Z* user group does not work.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I should also mention - we're combining the RFC authorizations into a new technical role in the ABAP stack. We are, however, mapping the copied UME role to the new user group.
For example:
ABAP: Z_DEV-PI includes SAP_XI_ADMINISTRATOR_J2EE authorizations
JAVA UME: Z_DEV-PI user group has Z_XI_ADMIN_J2EE role mapped, which is a direct copy of SAP_XI_ADMINISTRATOR_J2EE.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.