cancel
Showing results for 
Search instead for 
Did you mean: 

Minimum authorization role to just access Web Service hosted on PI

former_member203665
Participant
0 Kudos

Hi All,

I need to know the minimum authorization role required for creating a USER that can be shared with other end users/ third party client for consuming a web service hosted in PI.

Is there any role/s, to just invoke the WS and which doesn't allow any access to edit IR, ID, SLD, etc, objects.


Thanks in advance,

Shashank

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
0 Kudos

Hi Shashank

Just checked one of the Web service user in our landscape which is being used by third party to make calls to  PI

User Type : System

Roles: SAP_XI_APPL_SERV_USER : Process Integration: Service User for Application Systems

Profile: T_YB250030 (not sure if its custom) 

Regards

Srinivas.

Former Member
0 Kudos

Hello,

Create a service user with SAP_XI_APPL_SERV_USER role then ur sender system can only consume the webservice hosted on PI and since u have created service user so this cannot be used to login the system and edit ESR/ID objects

Thanks

Amit Srivastava

former_member184720
Active Contributor
0 Kudos

Hi Shashank - Did you try assigning only the role "SAP_XI_APPL_SERV_USER"?

I'm sure it doesn't have edit access in ESR,ID and SLD/RWB etc and it's mandatory for webservice communication.


iaki_vila
Active Contributor
0 Kudos

Hi Haresh,

I've just tried to access with that role because our third-party consumer users have only that role (and created like service users), and i have had access to SLD, ESR/IR and ID, i can see all although i cant change anything.

I think the only way to restrict this access, it's to have open the port 50000 to invoke the WS and to close the others 50XXXX ports to internet to avoid to access to developing tools or to do a MZ/DMZ infrastructure, etc

Regards.

former_member203665
Participant
0 Kudos

Hi Hareesh,

Yes we tried with the role, also we tried putting communication user also.

We tried with SAP_XI_DISPLAY_USER role that just gives display access to ESR, ID objects but then the SOAP URL was not accessible using that.

former_member184720
Active Contributor
0 Kudos

Hi Inkai - That is what i confirmed

I'm sure it doesn't have edit access in ESR,ID and SLD/RWB etc and even i believe shashank is also looking for the same

which doesn't allow any access to edit IR, ID, SLD, etc, objects.

former_member184720
Active Contributor
0 Kudos

What is your PI version.. I just tried sending the message through WSNavigator and i'm able to trigger with the above role..?