User Authorizations in Integration Builder Tools

In both the Integration Repository and the Integration Directory, you can define more detailed authorizations that restrict access to design and configuration objects.

In both tools, you define such authorizations by choosing Tools ® User Roles from the menu bar. The authorization for this menu option is provided by role SAP_XI_ADMINISTRATOR_J2EE. Of course, this role should only be granted to a very restricted number of administrators. To activate these more detailed authorizations, you must set exchange profile parameter com.sap.aii.ib.server.lockauth.activation to true.

The access authorizations themselves can be defined at the object-type level only (possibly restricted by a selection path), where you can specify each access action either individually as Create, Modify, or Delete for each object type, or as an overall access granting all three access actions.

The following table summarizes the object types that can be assigned to access actions:

Tool

Selection Path

Object Types

Repository

Software component version ® Namespace

All repository object types including the software component version itself

Directory

Partner ® Service

*partner

*service

*sender channel

*receiver channel

Without selection path

*configuration scenario

*receiver determination

*interface determination

*sender agreement

*receiver agreement

When you activate the authorization in the Integration Builder, it is propagated as a user role to the associated User Management Engine (UME) with prefix XIRep.for an Integration Repository authorization and with prefix XIDir.for an Integration Directory authorization.

If you want to assign a specific authorization to a user, copy an appropriate composite role to a new composite role in ABAP role administration. Then assign the user to this new composite role and attach the specific authorization to the resulting UME group that corresponds to the new ABAP role.

Assign roles according to the least privilege principle, that is, define and assign only those roles that are explicitly needed by the designer or configurator, and nothing else.