on 03-07-2016 7:51 PM
Hi All,
I need to pass some sensitive data through SAP PI. I want nobody to view the payload, not even me or the administrator to view the data.
I tried to use the below blog to implement this:
I can see the entries in Netweaver Administrator - SOA -> Monitoring -> Persistence-Layer Encryption Monitor but still I am able to view the payload in message monitoring. Do we need to do any more config apart from this to stop the payload getting displayed in message monitoring ?
Thx in advance
Ravijeet
Ravijeet
you can use custom roles to restrict the payload. We have recently done this and it's working like a charm.
I suggest using a combination of the allow all role and restriction of the specific interface.
You can follow this note to create your own custom role:
http://service.sap.com/sap/support/notes/1370334
See the note for more details, but here's the important piece for an example from SAP:
Note: The new deny_... values are always "stronger" than the normal "positive" values and overrule them. If access to the PI message has been allowed by one value (e.g. with value payload) and access to the same scenario has been denied with another value (with value deny_payload) then it means that the user can't access the message.
With the deny values it's easier to build a set of rules, that allow access to many PI message scenarios and limit access to only a few critical PI scenarios. For example, you can build an action that allows payload access to all message interfaces and restrict the payload access to the critical interfaces:
<ACTION NAME="allowAllAccessAction" >
<PERMISSION class="com.sap.aii.mdt.util.MonitoringPermissionExt" NAME="interfaceName=*" VALUE="payload"/>
</ACTION>
<ACTION NAME="denyConfidentialAccessAction1" >
<PERMISSION class="com.sap.aii.mdt.util.MonitoringPermissionExt" NAME="interfaceName=MyConfidentialInterface1" VALUE="deny_payload"/>
</ACTION>
<ACTION NAME="denyConfidentialAccessAction2" >
<PERMISSION class="com.sap.aii.mdt.util.MonitoringPermissionExt" NAME="interfaceName=MyConfidentialInterface2" VALUE="deny_payload"/>
</ACTION>
Keep in mind that if you wish to use this method, you'll have to add the XiMdt.standard_monitor and XiMdt.extended_monitor roles to your users that are allowed to see everything.
Because using the com.sap.aii.rwb.server.auth.UME will force users to need have a monitoring role in order to see anything in the monitor.
br,
Nicolas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Nicolas,
How do you ensure that nobody tampers with the roles, if the admin has access he can change the roles for himself:
user admin application - http://<server>:<port>/useradmin
Say I am passing payment instructions or employee sensitive information which I currently want to keep it secure even from admins.
Thanks in advance
Ravijeet
Hi Ravijieet
I don't think it's possible to restrict a certain role to be added or removed if someone has the administrator role. It's probably best to ask this directly to SAP.
On our case, the users that aren't allowed to view the sensitive data, aren't administrators. So they can't open the useradmin page at all, as they will get a permission denied error.
br,
Nicolas
User | Count |
---|---|
84 | |
24 | |
11 | |
9 | |
7 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.