Creating Users with Data-Dependent Authorizations

Use

You perform the steps described in the following sections to create special user roles with authorizations restricted to specific data.

Prerequisites

You must have created the corresponding authorizations beforehand (see User Roles for further information).

Creating Users and Roles (User Groups)

Perform the following steps to create users and roles in AS-ABAP.

Since ABAP roles are mapped to J2EE user groups, the term role used in an ABAP context means user group in J2EE.

...

       1.      Use transaction SU01 to create a user, for example CUST_USER.

       2.      Use transaction PFCG to create a composite role, for example CUST_USER_ROLE, by either creating a new role or copying an existing role.

0     If you create a new role, ensure that you assign XXX_ABAP and XXX_J2EE single roles to this role, with XXX = SAP_XI_DEVELOPER, SAP_XI_CONFIGURATOR, or SAP_XI_CONTENT_ORGANIZER, depending on whether your new role is a developer, configurator, or content organizer.

0     If you copy an existing role, for example, SAP_XI_DEVELOPER for a restricted developer role, or SAP_XI_CONFIGURATOR for a restricted configurator role, ensure that this role is completely copied to the new role, but disable the copying of contained *ABAP and *J2EE single roles.

For more information, see Changing Dialog User Roles.

       3.      Delete all users from the role created in the previous step.

       4.      Use transaction PFCG to assign the user created in step 1 to the role created in step 2.

Assigning Roles to User Groups

Perform the following steps to assign ABAP roles to J2EE user groups in AS-Java.

...

       1.      Open the user management administration console from the J2EE Engine start page.

       2.      Choose the role maintenance function, select the new role, and choose Assign groups.

       3.      To obtain a list of groups, choose the plus icon (+).

       4.      Scroll to the user group (corresponding to the ABAP role) of interest and select it.

       5.      Confirm your selection.

       6.      Check and confirm the assignment on the following screen.

Assigning Unrestricted Roles to Predefined User Groups

You have to assign an unrestricted tool-specific role, for example XiRep_Unrestricted or XiDir_Unrestricted, to predefined user groups without data-dependent restrictions. For these users, only standard J2EE security applies. Otherwise, users of these groups do not have any permission once the additional data-dependent authorization checks are activated.

Perform the following steps to assign a predefined unrestricted role to standard user groups.

...

       1.      Open the user management console from the J2EE Engine start page.

       2.      Choose the role maintenance function, select the unrestricted role (for example XiRep_Unrestricted or XiDir_Unrestricted), and choose Assign Groups to.

       3.      To obtain a list of groups, choose the plus icon (+)

       4.      Select the relevant PI user groups, omit SAP_XI_DEMOAPP, and confirm your selection.

The relevant PI user groups are:

0     The ABAP dialog user roles listed and described in Dialog Users.

0     The roles of the PI service users listed and described in Service Users.

 Activating Data-Dependent Authorization Checks

Perform the following steps to activate the additional, data-dependent authorization checks.

...

       1.      To access the exchange profile from the Integration Builder start page, choose Administration ® Exchange Profile.

       2.      Go to IntegrationBuilder ® IntegrationBuilder.Repository and select (if available) or create the property com.sap.aii.util.server.auth.activation.

       3.      Set the property com.sap.aii.util.server.auth.activation. to true and Save your settings.

       4.      Go to IntegrationBuilder ® IntegrationBuilder.Directory and repeat steps 2 and 3.

       5.      Choose All Properties to display and Refresh the properties of the Integration Builder.

       6.      Choose All Properties again and verify that the property com.sap.aii.util.server.auth.activation in the list of properties has the correct value.