08-23-2007 3:53 AM
Hello everyone,
Iam relatively new to XI security. I'd like to know what roles are essential for developers and administrators in <b>production</b>? we already developed some roles in dev box but developers seem to have lot of authorizations which should be restricted in production. How do i decide which roles are necessary ? Are there any transactions( XI specific) or roles that developers should not be given access.
Please suggest.
Cheers.
08-23-2007 7:43 AM
Hello Alice,
i can not answer your question, but i think you will be able to help me..
I am searching for dev-roles for the XI. I have created the basis rolses based on folwowing SAP-standard roles:
SAP_XI_ADMINISTRATOR_ABAP
SAP_XI_ADMINISTRATOR_J2EE
SAP_XI_CONFIGURATOR_ABAP
SAP_XI_CONFIGURATOR_J2EE
SAP_XI_CONTENT_ORGANIZER_ABAP
SAP_XI_CONTENT_ORGANIZER_J2EE
SAP_XI_DEVELOPER_ABAP
SAP_XI_DEVELOPER_J2EE
SAP_XI_DISPLAY_USER_ABAP
SAP_XI_DISPLAY_USER_J2EE
SAP_XI_MONITOR_ABAP
SAP_XI_MONITOR_J2EE
SAP_XI_SUPPORT_ABAP
SAP_XI_SUPPORT_J2EE
Are there any other roles which are necessary or do you have a hint for me, which role should get more / lessauthorization?
THX for your answer in Advance.
Markus
08-23-2007 3:16 PM
Hello Alice,
Developer roles in Dev:
SAP_XI_DEVELOPER
SAP_XI_CONFIGURATOR
SAP_XI_DISPLAY
SAP_XI_MONITOR
Developer roles in Qty:
SAP_XI_DISPLAY
SAP_XI_MONITOR
SAP_XI_SUPPORT
Administrator roles in Dev:
SAP_XI_CONFIGURATOR
SAP_XI_ADMINISTRATOR
SAP_XI_DISPLAY
SAP_XI_MONITOR
SAP_XI_SUPPORT
Administrator roles in Qty:
SAP_XI_CONFIGURATOR
SAP_XI_ADMINISTRATOR
SAP_XI_DISPLAY
SAP_XI_MONITOR
Administraor roles in Prod will be very restricetd and should be used with same as Qty but its advisable to keep the user locked.
A small note here. When you try to copy standard Java roles they will not work due to permissions problem. SAP Recommonds to use customized ABAP roles and Standard JAVA roles without changing them. But if you want to copy JAVA roles into customized roles, then please let me know. I will explain the procedure.
Farooq.
08-23-2007 6:17 PM
Thanks a bunch, Farooq. That really helps.
We already have customized ABAP roles and we're using SAP standard JAVA roles. I would definetely like to know how to copy JAVA roles into customized roles.
Markus,
As Farooq mentioned, you can copy the ABAP roles into customized roles and use SAP std JAVA roles.
A small tip, you might want to take away SU01 & PFCG authorizations from these roles.
08-23-2007 6:47 PM
Alice,
Java roles work with influence of permissions in Application Server which we call actions in UME. As you are aware in PI user master record will be in ABAP stack. So the roles in ABAP stack will be having only RFC connections to JAVA stack for the specific JAVA based role. So you need to edit the permission on Java App Server. For that you need to log on to server through visual admin and then go to services and you will find the standard groups assigned to actions. But I dont remember that under which service you will find them
Under that service you will find some 200 actions. And you have to add the name of the custom created JAVA roles on ABAP to all those actions where you find the standard roles. And its a very very lengthy procedure. So SAP advice to go for customized ABAP roles and Standard JAVA roles.
Hope this answer clears your query.
Farooq.
08-23-2007 8:18 PM
I appreciate your insight & prompt response.
Do you have a document for this copying SAP Java roles to custom roles. If so, please email it to suudsv@yahoo.co.in
I also have another question..what is the difference between a UME role and J2EE security role? Can you give a example.
Thanks in advance.
08-23-2007 8:41 PM
I don't have any document on this. I found it myself after 2 weeks of research.
Farooq.