Custom user role for SAP PO connection to production systems: access to specific interfaces only

Owned by Jacek Kielar
Last updated: Jul 12, 2021 by Izabela Bogorska (Deactivated)
2 min read

This tutorial gives you information on preparing a custom role for the production SAP PO system to restrict access to the message content of a specific interface only. 

We created this page based on the information from Michal Krawczyk's blog and SAP Note 1370334.

Step-by-step guide

  1. Download this archive.
  2. Open it and unpack "sap.com~com.sap.xi.mdt.actions.ump" file.
  3. Unpack files from this archive and edit actions.xml file. Here you have an example:

This tutorial limit access to particular services. It is also possible to control access to interfaces, and the details are presented in SAP Note 1370334.

4. Replace in the action.xml XYZ tag and put the service that should be accessible by this role. If there is a need for more than service, you need to create separate actions. Then all actions need to be assigned to the role by multiple occurrences of the ASSIGNEDACTION node in the ROLE node.5. 

5. Save action.xml and update sap.com~com.sap.xi.mdt.actions.ump. Subsequently replace this archive in the main ear file. 

6. Deploy sap.com~com.sap.xi.mdt.actions.ear to the PI server.

7. Go to the address http://<host>:<port>/nwa/sys-config

8.Go to the "Service" bookmark.

9. Search for the 'config service' phrase.

10. Choose "XPI Service: All Config Service" then in the "Properties" bookmark, choose the "Add" button

11. Add a new property with this data:
Name: com.sap.aii.rwb.server.auth.UME
Value: true

12. After these steps, you should restart the PI Server

13. Go to the user management bookmark and create a new PI user with these roles:
SAP_XI_PCK_MONITOR
INT4

© 2017 - 2022 Int4 AG All rights reserved