XI messages stored in the persistence layer of the Integration Engine can be observed by the monitoring tools (transactions SXMB_MONI, SXMB_ADMIN) of the Integration Engine.
In addition to ordinary message persistence, there are three possible places to which message payload data can be written. These are the trace files of the mapping service, the JCo trace files (as the mapping service is called using JCo RFC), and the HTTP/S trace files (as XI messages are sent and received using HTTP/S).
There are two levels of monitoring:
· Monitoring the message headers (including the trace header)
· Monitoring the message payload (containing the actual application data)
The trace header may also contain payload data if a mapping program explicitly writes payload data to the message trace.
Use authorization object S_XMB_MONI if you want to prevent message trace headers or message payloads being visible in the PI monitoring tools. This authorization object enables you to restrict access to messages containing a specific party, service, or interface. Furthermore, you can allow access only to message headers by granting activity 03 Display, or only to message payloads by granting activity 29 Display saved data. For more information, call transaction SU21, choose object class BC_A, and see the documentation for authorization object S_XMB_MONI.
S_XMB_MONI is included in particular delivered PI single roles that belong to a composite role, for example, SAP_XI_ADMINISTRATOR_ABAP or SAP_XI_DISPLAY_USER_ABAP. Execute report RSUSR070 for an overview of all roles to which S_XMB_MONI is assigned.
If you want to restrict the authorizations of a user by assigning an individual S_XMB_MONI authorization, copy the user’s standard single user role containing the generic S_XMB_MONI authorization to a customized user role, and adapt the authorization object S_XMB_MONI correspondingly. This way you avoid modifications of the standard user roles. Furthermore, you have to copy the user’s current composite role, and replace the old standard single role with the new customized single role. Finally, you have to assign the user to this new composite role.
Work with the least privilege principle, that is assign only those authorizations (and nothing else) that are needed by the corresponding users.
Besides being written to the trace header of the message, traces can also be written to the default trace file in the file system of the J2EE Engine. This occurs when the corresponding trace level is set to DEBUG in the Log Configurator service of the Visual Administrator (see also SAP Note 801951).
Tracing payload data during execution of the mapping service is only possible when explicitly programmed in a mapping program (log configuration XIRUN.com.sap.aii.ibrun.sbeans.mapping.Messenger). In addition, value mappings can be traced (log configuration XIRUN.com.sap.aii.ibrun.server.valueMapping). In any case, make sure that the traces are only switched on for actual error analysis and are immediately switched off afterwards by setting the trace level to ERROR.
As the mapping service of the Integration Engine is called with a JCO RFC using SM59 destination AI_RUNTIME_JCOSERVER, payload data can also be traced in the ordinary RFC trace files. Similarly, HTTP traces can be switched on and read by using transaction SICF. In this way, the XI messages sent to and received by the Integration Engine can be read.
To avoid unauthorized tracing here, make sure that only a very restricted number of administrators have permission to use the Visual Administrator, access to the J2EE support page (ABAP role SAP_XI_ADMINISTRATOR_J2EE), access to the J2EE Engine file system, or access to transaction SM59 or SICF. Both transactions are included in authorization object S_TCODE in single role SAP_XI_ADMINISTRATOR_ABAP.