Dialog Users

Dialog Users

Dialog users represent human users (as opposed to service users), who log on through the various UIs of the Integration Builder, System Landscape Directory, and Runtime Workbench. Dialog users are generally maintained in SAP NetWeaver usage type Application Server ABAP. A session-based single sign-on is supported.

The roles for the different dialog users displayed in the following table are predefined and shipped. Each role includes at least display authorizations for all PI components.

Dialog User Roles in a PI Landscape

Dialog User Role

Description

SAP_XI_DISPLAY_USER

Read-only access to Integration Directory and Integration Repository

SAP_XI_SUPPORT

Read-only access to Integration Directory and Integration Repository, and to specific administration pages (see below) of the Integration Server’s J2EE engine.

This role is required for SAP support using Solution Manager Diagnostics (SMD).

SAP_XI_DEVELOPER

Design and development of integration processes

SAP_XI_CONFIGURATOR

Configuration of business integration content

SAP_XI_CONTENT_ORGANIZER

Maintenance of System Landscape Directory content

SAP_XI_MONITOR

Monitoring of PI components and messages

SAP_XI_ADMINISTRATOR

Technical configuration and administration of PI

To see further details on these roles, call the Role Maintenance transaction (PFCG).

Each role is a composite role consisting of an ABAP role (with suffix _ABAP) that is only relevant when the dialog user executes an ABAP application, and a J2EE role (with suffix _J2EE) relevant for J2EE applications such as the Integration Repository or the Integration Directory. The roles are propagated to user groups of the user management engine (UME), which are then assigned to security roles for Java applications by using the Security Provider service of the Visual Administrator.

For information on how to enable more detailed authorization concepts for the Integration Repository, the Integration Directory, or in message monitoring see Further Security Tasks and Topics.

All these roles are security-relevant and should be given to dialog users only in a restricted form.

Administration Pages with Read-Access Relevant to Role SAP_XI_SUPPORT

Name in SMD

URL on J2EE Engine

Exchange Profile

http://<host:port>/exchangeProfile

Admin

http://<host:port>/rep/support/admin/index.html

Aii-Properties

http://<host:port>/rep/support/public/ViewProperties.jsp

Lock Overview

http://<host:port>/rep/support/public/LockAdminService

Cache Overview

http://<host:port>/rep/support/public/ViewCaches

Java Web Start Admin

http://<host:port>/rep/support/admin/status.html

General

http://<host:port>/rep/support/info.jsp

The Partner Connectivity Kit (PCK) offers different security roles that are deployed during the installation of the PCK together with the corresponding J2EE components and that are assigned to the user PCKUSER created during installation. The following table summarizes the security roles in the PCK.

Security Roles in the PCK

Security Role

Description

Administer

J2EE component sap.com/com.sap.xi.pck*aii_ib_sbeans.jar

With this role you can access the configuration interface.

Display

J2EE component sap.com/com.sap.xi.mdt*mdt

With this role you can view messages in the message monitor.

Modify

J2EE component sap.com/com.sap.xi.mdt*mdt

With this role you can modify messages in the message monitor.

Payload

J2EE component sap.com/com.sap.xi.mdt*mdt

With this role you can view message payloads in the message monitor.

xi_af_adapter_monitor

J2EE component sap.com/com.sap.aii.af.app*AdapterFramework

With this role you can view the state of individual adapters.

Support

J2EE component sap.com/com.sap.xi.pck*pck

With this role you can access the PCK Administration from the PCK start page for maintaining PCK configuration parameters.

If several users are to work with the PCK, create different users for them and assign each user to the specific role required.