So, we are in the process of upgrading our PI systems from 7.11 to 7.40. We have always had problems with J2EE authorizations in the past, but now I am facing some challenges I hope you can help me with.

a) Some aspects that have worked in the past do not work any longer. For example, our developers cannot access message payloads anymore. Let me explain, that we have a very strict separation of duties and authorizations between admins, developers and support. Developers are supposed to be able to view message payloads (at least in the pre-production systems), but not edit them. I have created a J2EE role for that purpose including all 6 "payload" actions available in the UME, so far that has worked fine. After the upgrade it does not seem to be enough, developer trace says "com.sap.aii.mdt.api.exceptions.AuthorizationFailedException: Your user does not have the required authorizations for this activity"

b) Along with the upgrade I am trying to set up new "last level" users for developers to be able to perform certain tasks on production systems in case of malfunctions. They are not supposed to simply get admin rights, but I want to be able to toggle between e.g. viewing and editing message payloads, viewing and editing configuration data and so on. I cannot find any proper guides on those things and support just keeps telling me to assign roles like SAP_XI_ADMINISTRATOR(_J2EE) and so on. This is not how our authorization concepts work! In the ABAP world SAP keeps telling us to not use standard roles, but copy them and fit them to our needs. I refuse to believe that this should not be possible in the J2EE world.

Does anybody know any useful guides or documentation about the needed authorizations? Or maybe someone else is having similar problems, so we can at least work together on some aspects trying to find out the necessary actions on our own?