XI Security

Former Member · ‎08-23-2007

Hello everyone,

Iam relatively new to XI security. I'd like to know what roles are essential for developers and administrators in <b>production</b>? we already developed some roles in dev box but developers seem to have lot of authorizations which should be restricted in production. How do i decide which roles are necessary ? Are there any transactions( XI specific) or roles that developers should not be given access.

Please suggest.

Cheers.

Former Member · ‎08-23-2007

Hello Alice,

i can not answer your question, but i think you will be able to help me..

I am searching for dev-roles for the XI. I have created the basis rolses based on folwowing SAP-standard roles:

SAP_XI_ADMINISTRATOR_ABAP

SAP_XI_ADMINISTRATOR_J2EE

SAP_XI_CONFIGURATOR_ABAP

SAP_XI_CONFIGURATOR_J2EE

SAP_XI_CONTENT_ORGANIZER_ABAP

SAP_XI_CONTENT_ORGANIZER_J2EE

SAP_XI_DEVELOPER_ABAP

SAP_XI_DEVELOPER_J2EE

SAP_XI_DISPLAY_USER_ABAP

SAP_XI_DISPLAY_USER_J2EE

SAP_XI_MONITOR_ABAP

SAP_XI_MONITOR_J2EE

SAP_XI_SUPPORT_ABAP

SAP_XI_SUPPORT_J2EE

Are there any other roles which are necessary or do you have a hint for me, which role should get more / lessauthorization?

THX for your answer in Advance.

Markus

Former Member · ‎08-23-2007

Hello Alice,

Developer roles in Dev:

SAP_XI_DEVELOPER

SAP_XI_CONFIGURATOR

SAP_XI_DISPLAY

SAP_XI_MONITOR

Developer roles in Qty:

SAP_XI_DISPLAY

SAP_XI_MONITOR

SAP_XI_SUPPORT

Administrator roles in Dev:

SAP_XI_CONFIGURATOR

SAP_XI_ADMINISTRATOR

SAP_XI_DISPLAY

SAP_XI_MONITOR

SAP_XI_SUPPORT

Administrator roles in Qty:

SAP_XI_CONFIGURATOR

SAP_XI_ADMINISTRATOR

SAP_XI_DISPLAY

SAP_XI_MONITOR

Administraor roles in Prod will be very restricetd and should be used with same as Qty but its advisable to keep the user locked.

A small note here. When you try to copy standard Java roles they will not work due to permissions problem. SAP Recommonds to use customized ABAP roles and Standard JAVA roles without changing them. But if you want to copy JAVA roles into customized roles, then please let me know. I will explain the procedure.

Farooq.

Former Member · ‎08-23-2007

Thanks a bunch, Farooq. That really helps.

We already have customized ABAP roles and we're using SAP standard JAVA roles. I would definetely like to know how to copy JAVA roles into customized roles.

Markus,

As Farooq mentioned, you can copy the ABAP roles into customized roles and use SAP std JAVA roles.

A small tip, you might want to take away SU01 & PFCG authorizations from these roles.

Former Member · ‎08-23-2007

Alice,

Java roles work with influence of permissions in Application Server which we call actions in UME. As you are aware in PI user master record will be in ABAP stack. So the roles in ABAP stack will be having only RFC connections to JAVA stack for the specific JAVA based role. So you need to edit the permission on Java App Server. For that you need to log on to server through visual admin and then go to services and you will find the standard groups assigned to actions. But I don’t remember that under which service you will find them

Under that service you will find some 200 actions. And you have to add the name of the custom created JAVA roles on ABAP to all those actions where you find the standard roles. And its a very very lengthy procedure. So SAP advice to go for customized ABAP roles and Standard JAVA roles.

Hope this answer clears your query.

Farooq.

Former Member · ‎08-23-2007

I appreciate your insight & prompt response.

Do you have a document for this …copying SAP Java roles to custom roles. If so, please email it to suudsv@yahoo.co.in

I also have another question..what is the difference between a UME role and J2EE security role? Can you give a example.

Thanks in advance.

Former Member · ‎08-23-2007

I don't have any document on this. I found it myself after 2 weeks of research.

Farooq.