cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Role based authorization for ESR and ID Objects in PI 7.1

Go to solution
former_member308955
Explorer

on ‎01-29-2016 8:26 AM

0 Kudos

Hi,

I am trying to set up a role based authorization for ESR and ID objects but for some reason authorization is not working as expected.

I want to restrict few SWCV's only for the users having specific role.

I created a new role and have followed the exact steps as mentioned in below documents

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/50a3efb4-57a1-2d10-a6b9-fed6d2179...

But still not getting it working. Although I have assigned a User role to Test User and User role is configured to have only single component EDITable, user still able to edit entire landscape.

1. I am assuming that authorization should be working based on User Role and not necessarily I have to add Edit Auhorization for every single SWCV to get working.

2. I tried by setting EDIT Authorization feature based on User Role and see it working but then configuring objects in user roles doesn't make any sense if I have to do this for every single SWCV.

Can you please let me know if you have experienced this or have configured authorization based on User roles in your landscape for PI 7.1 EHP1

Thanks in advance.

Thanks and Regards,

Amit

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member186851
Active Contributor
‎01-29-2016 9:52 AM
0 Kudos

Hello Amit

Make sure

com.sap.aii.util.server.auth.activation this property in Exchange profile is set to true.

Show replies
Show replies
former_member308955
Explorer
‎01-29-2016 10:16 AM
0 Kudos

Hi Raghuraman,

Thanks for the reply.

Yes, I have double checked that this value is true in Exchange Profile but still problem persists.

Although I have selected only couple of SWCVs in user role configuration, user still able to edit all.

Thanks,

Amit

former_member186851
Active Contributor
‎01-29-2016 10:18 AM
0 Kudos

Hello Amit,

One more checkpoint,did you add only that role to the user?.

former_member308955
Explorer
‎01-29-2016 10:36 AM
0 Kudos

Yes, i did. In NWA-->Identity management, I have assigned the custom role to this user.

I have also made sure that this user does not have ADMIN role.

Although SAP_XI_DEVELOPER_J2EE is assigned for this user to be able to edit the objects in ESR.

I would like to know if any specific role is to be checked or removed for this user.

Thanks,

Amit

former_member186851
Active Contributor
‎01-29-2016 10:45 AM
0 Kudos

Amith,

You said included only 2 SWCV right,Did you select include for those 2 and remaining should be excluded.

Nothing to be done apart from this,You need to assign this role to the user(which is activated).

former_member308955
Explorer
‎01-29-2016 11:39 AM
0 Kudos

Hi, yes I did .. included the 2 where I wanted the user to have EDIT access, and excluded the rest with *, user role and user are active

former_member186851
Active Contributor
‎01-29-2016 2:54 PM
0 Kudos

Try like below and let me know the result Amit

Include   *       *    Exclude  * Full Edit

Include TEST_AB   *    Include  * Full Edit

former_member308955
Explorer
‎02-05-2016 11:45 AM
0 Kudos

Hi Raghuraman, Yes I did try this as well but no luck

I am suspecting there's some global setting which is missing but still unable to resolve the issue.

former_member186851
Active Contributor
‎02-05-2016 1:23 PM
0 Kudos

Hello Amit,

Just the property need to be enabled in exchange profile,which you did already.

Try re-configuring once and check.

We also did the same steps its working fine.

former_member308955
Explorer
‎02-05-2016 2:18 PM
0 Kudos

Yes, Just to confirm my understanding as it is working fine for you.

Edit Authorization and User roles should work independently, right ?

what i mean is I should expect the User roles should work irrespective of EDIT Authorization setting at namespace and folder level where we can also restrict authorization based on user role created but this is additional. Ideally, User role alone should work is my understanding.

Is it correct ?

Thanks,

former_member186851
Active Contributor
‎02-05-2016 2:42 PM
0 Kudos

You should create roles based on which any SWCV access(edit,delete) can be restricted.

This role can be assigned to any user.

former_member308955
Explorer
‎02-05-2016 2:56 PM
0 Kudos

Firstly, many thanks for your replies to all my queries

Yes, I agree, what I meant by Edit authorization was

Defining Authorizations - Managing Services in the Enterprise Services Repository - SAP Library

Thanks for the confirmation that its not relevant.. I have done the same way as u mentioned.

Create role -> Add SWCV for restriction/inclusion and added role to user in NWA.

But not able to get this working.. User with assigned role still able to edit all.

so just wanted to confirm that I do not have to set this EDIT authorization feature along with User role

Thank

former_member186851
Active Contributor
‎02-05-2016 3:26 PM
0 Kudos

Fine Amit,

Please close the thread if your query is addressed.

former_member308955
Explorer
‎02-08-2016 7:04 AM
0 Kudos

Hi, Can you please confirm one thing, when it was working for you,

I would like to know what are the standard SAP roles (apart from the custom role we created for restriction) were assigned to the user logging into ESR.

former_member186851
Active Contributor
‎02-08-2016 8:15 AM
0 Kudos


Hello Amit,

You can google for standard SAP roles,There are many roles.

Custom roles you create when you wish to restrict to particular SWCV and objects.

Answers (1)

Answers (1)

former_member308955
Explorer
‎03-17-2016 7:49 AM
0 Kudos

Closing the Thread as Issue is now resolved.

Resolution: acl property doesn't work individually but in combination with IB and IR properties.

Aii properties to be refreshed after modifying individual properties.

No ABAP roles to be assigned to the user. Only Java roles to be assigned from NWA->Identity manager.

Customized role and java developer role needed.

Thanks and Regards,

Amit Bhagwat

Show replies
Show replies
Ask a Question