cancel
Showing results for 
Search instead for 
Did you mean: 

SAP PI Sensitive data Interface

Former Member
0 Kudos

Hi All,

I need to pass some sensitive data through SAP PI. I want nobody to view the payload, not even me or the administrator to view the data.

I tried to use the below blog to implement this:

I can see the entries in Netweaver Administrator - SOA -> Monitoring -> Persistence-Layer Encryption Monitor but still I am able to view the payload in message monitoring. Do we need to do any more config apart from this to stop the payload getting displayed in message monitoring ?

Thx in advance

Ravijeet

Accepted Solutions (1)

Accepted Solutions (1)

nicolas_p
Explorer
0 Kudos

Ravijeet

you can use custom roles to restrict the payload. We have recently done this and it's working like a charm.

I suggest using a combination of the allow all role and restriction of the specific interface.

You can follow this note to create your own custom role:

http://service.sap.com/sap/support/notes/1370334

See the note for more details, but here's the important piece for an example from SAP:


Note: The new deny_... values are always "stronger" than the normal "positive" values and overrule them. If access to the PI message has been allowed by one value (e.g. with value payload) and access to the same scenario has been denied with another value (with value deny_payload) then it means that the user can't access the message.

With the deny values it's easier to build a set of rules, that allow access to many PI message scenarios and limit access to only a few critical PI scenarios. For example, you can build an action that allows payload access to all message interfaces and restrict the payload access to the critical interfaces:

<ACTION NAME="allowAllAccessAction" >
    <PERMISSION class="com.sap.aii.mdt.util.MonitoringPermissionExt" NAME="interfaceName=*" VALUE="payload"/>
</ACTION>
<ACTION NAME="denyConfidentialAccessAction1" >
    <PERMISSION class="com.sap.aii.mdt.util.MonitoringPermissionExt" NAME="interfaceName=MyConfidentialInterface1" VALUE="deny_payload"/>
</ACTION>
<ACTION NAME="denyConfidentialAccessAction2" >
    <PERMISSION class="com.sap.aii.mdt.util.MonitoringPermissionExt" NAME="interfaceName=MyConfidentialInterface2" VALUE="deny_payload"/>
</ACTION>

Keep in mind that if you wish to use this method, you'll have to add the XiMdt.standard_monitor and XiMdt.extended_monitor roles to your users that are allowed to see everything.

Because using the com.sap.aii.rwb.server.auth.UME will force users to need have a monitoring role in order to see anything in the monitor.

br,

Nicolas

Former Member
0 Kudos

Hi Nicolas,

How do you ensure that nobody tampers with the roles, if the admin has access he can change the roles for himself:

user admin application - http://<server>:<port>/useradmin


Say I am passing payment instructions or employee sensitive information which I currently want to keep it secure even from admins.


Thanks in advance

Ravijeet

nicolas_p
Explorer
0 Kudos

Hi Ravijieet

I don't think it's possible to restrict a certain role to be added or removed if someone has the administrator role. It's probably best to ask this directly to SAP.

On our case, the users that aren't allowed to view the sensitive data, aren't administrators. So they can't open the useradmin page at all, as they will get a permission denied error.

br,

Nicolas

Former Member
0 Kudos

Hi Nicolas,

How do you restrict the user admin page access.

Regards

Ravijeet

Answers (0)