How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
Transcript of How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 1/45
SAP NetWeaver
How-To Guide
How To Setup Profile Based
Authorization In ESR Using PI 7.1
EHP1
Applicable Releases:
SAP NetWeaver Process Integration 7.11 and higher
Topic Area:
SOA Middleware
Capability:
SOA Management
Version 1.0
Sep 2010
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 2/45
© Copyright 2010 SAP AG. All rights reserved.
No part of this publication may be reproduced or
transmitted in any form or for any purpose without the
express permission of SAP AG. The information contained
herein may be changed without prior notice.Some software products marketed by SAP AG and its
distributors contain proprietary software components of
other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are
registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel
Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,
OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,
Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix,
i5/OS, POWER, POWER5, OpenPower and PowerPC are
trademarks or registered trademarks of IBM Corporation. Adobe, the Adobe logo, Acrobat, PostScript, and Reader
are either trademarks or registered trademarks of Adobe
Systems Incorporated in the United States and/or other
countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered
trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame,
WinFrame, VideoFrame, and MultiWin are trademarks or
registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks orregistered trademarks of W3C®, World Wide Web
Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems,
Inc., used under license for technology invented and
implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP
NetWeaver, and other SAP products and services
mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in
Germany and in several other countries all over the world.
All other product and service names mentioned are the
trademarks of their respective companies. Data contained
in this document serves informational purposes only.
National product specifications may vary.
These materials are subject to change without notice.
These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only,
without representation or warranty of any kind, and SAP
Group shall not be liable for errors or omissions withrespect to the materials. The only warranties for SAP
Group products and services are those that are set forth in
the express warranty statements accompanying such
products and services, if any. Nothing herein should be
construed as constituting an additional warranty.
These materials are provided “as is” without a warranty of
any kind, either express or implied, including but not
limited to, the implied warranties of merchantability,
fitness for a particular purpose, or non-infringement.
SAP shall not be liable for damages of any kind including
without limitation direct, special, indirect, or consequential
damages that may result from the use of these materials.
SAP does not warrant the accuracy or completeness of the
information, text, graphics, links or other items contained
within these materials. SAP has no control over the
information that you may access through the use of hot
links contained in these materials and does not endorse
your use of third party web pages nor provide any warranty
whatsoever relating to third party web pages.
SAP NetWeaver “How -to” Guides are intended to simplify
the product implementation. While specific product
features and procedures typically are explained in a
practical business context, it is not implied that those
features and procedures are the only approach in solving a
specific business problem using SAP NetWeaver. Should
you wish to receive additional information, clarification or
support, please refer to SAP Consulting.
Any software coding and/or code lines / strings (“Code”)
included in this documentation are only examples and are
not intended to be used in a productive system
environment. The Code is only intended better explain and
visualize the syntax and phrasing rules of certain coding.
SAP does not warrant the correctness and completeness of
the Code given herein, and SAP shall not be liable forerrors or damages caused by the usage of the Code, except
if such damages were caused by SAP intentionally or
grossly negligent.
Disclaimer
Some components of this product are based on Java™. An y
code change in these components may cause unpredictable
and severe malfunctions and is therefore expressively
prohibited, as is any decompilation of these components.
Any Java™ Source Code delivered with this product is only
to be used by SAP’s Support Services and may not be
modified or altered in any way.
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 3/45
Document History
Document Version Description
1.00 First official release of this guide
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 4/45
Typographic Conventions
Type Style Description
Example Text Words or characters quoted
from the screen. These
include field names, screen
titles, pushbuttons labels,
menu names, menu paths,
and menu options.
Cross-references to other
documentation
Example text Emphasized words or
phrases in body text, graphic
titles, and table titles
Example text File and directory names and
their paths, messages,
names of variables and
parameters, source text, and
names of installation,
upgrade and database tools.
Example text User entry texts. These are
words or characters that you
enter in the system exactly as
they appear in the
documentation.
<Example
text>
Variable user entry. Angle
brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.
EXAMPLE TEXT Keys on the keyboard, for
example, F2 or ENTER.
Icons
Icon Description
CautionNote or Important
Example
Recommendation or Tip
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 5/45
Table of Contents
1. Business Scenario .......................................................................................................... 1
1.1
Introduction .............................................................................................................. 1
1.2
Scenario Description ................................................................................................ 2
2. Background Information ................................................................................................. 3
3. Prerequisites.................................................................................................................... 3
3.1 Roles ....................................................................................................................... 3
3.2 Software .................................................................................................................. 4
3.3 Relevant SAP Notes ................................................................................................ 4
4. Filters ............................................................................................................................... 4
4.1 Usage Profiles ......................................................................................................... 5
4.1.1
Scenario 1 (ESR Access Control using Usage Profiles)................................. 5
5. Edit Authorizations ........................................................................................................ 17
5.1 Scenario 2 (Editing Authorization for Users) ........................................................... 18
5.2 Inherit Selective authorizations............................................................................... 21
5.3 Propagate authorizations to all Substructures......................................................... 23
5.4 Scenario 3 (Edit Authorization for Usage Profiles) .................................................. 24
6. User Roles ..................................................................................................................... 27
6.1 Scenario 4 (Assigning ESR Role to Users) .............................................................. 28
7. Appendix ........................................................................................................................ 39
7.1 Help Documentation ............................................................................................... 39
7.2 SDN References ..................................................................................................... 39
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 6/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 1
1. Business Scenario
1.1 Introduction
Enterprise Service Repository (ESR) is a central repository for various design time objects and
Software Components Versions. Several users access the ESR for building services and models
based on their business requirements. Many a times a user logging into ESR do not make use of all
the available ESR objects as each user has a different purpose of using ESR.
For example, there may be a situation where ESR is used by users from different projects or modules.
Here, the need for a personalized development environment arises. Capability of restricting users
according to the project requirements also comes in handy. Assigning the user only a small subset of
the ESR objects also helps reducing complexity of the tool.
The following diagram gives an example of different users accessing the ESR objects:
Figure 1: ESR Access by multiple users
SAP NetWeaver Process Integration 7.1 EHP1 provides all of these capabilities. There are a variety of
features which enables the Administrator to manage the access for each user. Also, users can choose
the required object types to work with using Filters which are a part of ESR now. There is also a
provision of providing different kinds of access to different users or roles or groups.
Note
The Enterprise Service Repository is also referred as ESR or ES Repository in this
document.
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 7/45
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 8/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 3
The following graphic depicts the scenario described:
.
Figure 2: ESR Access by multiple users
Note
Here the users can be assigned to any of the Usage Profiles depending on their usage of
ESR.
2. Background Information
This guide explains how to control the user access in ESR using PI 7.1 EHP1 and higher. Primarily
three areas are covered in this document.
1. Filters
2. Authorizations
3. Roles
3. Prerequisites
3.1 RolesUsers with the following roles are available for configuring the scenarios:
1. Administrator
(Include the roles SAP_XI_ADMINISTRATOR_J2EE and SAP_XI_CONTENT_ORGANIZER_J2EE )
2.Developer
(Exclude the roles SAP_XI_ADMINISTRATOR_J2EE and SAP_XI_CONTENT_ORGANIZER_J2EE
and should only have developer rights)
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 9/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 4
3.2 Software
This guide makes the following assumptions:
SAP NetWeaver PI 7.1 EHP 1 or higher is installed.
The software component version SAP Basis 7.11 or higher content is imported to theES Repository.
3.3 Relevant SAP Notes1313190 - No usage profiles found during login process
4. FiltersThis section covers the usage of Filters in Enterprise Service Repository to simplify the UI for the ESR
user.
The Enterprise Service Repository provides an option to filter the object types by selecting the arrow
next to the piped symbol Change Filter Settings in the navigation area of the ESR.
Figure 3: Select Object Types
Using this feature the users can hide the objects according to their individual requirements.
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 10/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 5
Figure 4: Choose Object Types
4.1 Usage Profiles
Depending on your requirement you need to choose a usage profile while logging into ESR.Usage
Profiles allows the administrator to define filters for ESR Objects.The advantages of Usage profiles
will be discussed using Scenario1.
Note
This guide assumes that SWCVs and some ESR objects like service interfaces and
message types are already available in ESR.
4.1.1 Scenario 1 (ESR Access Control using Usage Profiles)
For the scenario description, please refer to Section 1.2.
The user used for configuring the scenario should have Administrator roles (Please refer to Section
3.1.1)
For configuring this scenario three different usage profiles have to be created in the Enterprise Service
repository.
1. Admin_Profile
2. Developer_Profile
3. DisplayUser_Profile
Create Usage Profiles
Log on to the ES Repository with Administrator user. If you are logging on to the ES Builder for the
first time, the Select Usage Profile dialog box is displayed.Select the Unrestricted profile.This profile is
a part of the standard SAP Basis 7.11 content.
For creating the Usage Profile click on New button in the Navigation area of the ES Builder.
Figure 5: Create Object
The Create Object dialog box is displayed. Choose Usage Profile under Work Areas node.
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 11/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 6
Admin_Profile
Figure 6: Create usage profiles
Enter the Name Admin_Profile,SWCV and Description.Click on Create button.
The Edit Usage Profile window opens.There are different options which helps the user to filter theSWCVs and objects and choose the Business Modelling Filters.Since this is the Admin_Profile there is
no restriction added to it.
Figure 7: Edit usage profiles
Click on Save button.Right click on the Admin profile and Activate it.
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 12/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 7
Change Usage Profiles
For changing the Usage profile choose the arrow next to the Change Filter Settings button in the
navigation area of the ESR. Choose Change Usage Profile.
Figure 8: Change Usage Profiles
The Select Usage Profile dialog box opens.The Admin_Profile created appears in the dropdown
list.Choose Admin_Profile and click on Choose button.
Figure 9: Select Usage Profile
The user, who chooses this usage profile, will have access to all the ES Repository Objects
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 13/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 8
Figure 10: Display available ESR objects
Developer_Profile
Similarly create Developer profile.
Figure 11: Create Developer_Profile
In the Edit Usage Profile window of the Developer_Profile choose any two SWCVs.For this, first the
Allow All Software Component Versions checkbox has to be deselected and Deselect All checkbox
has to be checked.
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 14/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 9
Figure 12: Edit Developer_Profile
Go to the Object Types tab. Deselect the Allow All Object types checkbox.
Figure 13: Select Object Types for Developer_Profile
Select few object types and provide both Display and Edit permissions by selecting the Visible Object
types and Editable Object Types checkboxes.
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 15/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 10
Figure 14: Select Editable Object Types for Developer_Profile
Click on Save button and Activate the Usage Profile.
Figure 15: Activate Developer_Profile
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 16/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 11
Figure 16: Change List for Developer_Profile
Now change the Usage profile to Developer_Profile by choosing the Change Usage Profile option
Under the Change fIlter Settings in the Navigaton Area
Figure 17: Change Usage profile
Figure 18: Select Developer_Profile
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 17/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 12
Now go to any object types for which edit permission was provided.for e.g. Service Interface and try
editing the object.The object should be editable.
Figure 19: Edit Service Interface
Also, click on the Create Object button in the navigation Area.The Create Object dialog box appears.
Figure 20: Create New Object
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 18/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 13
As you can observe in the above figure, only the objects for which editable permission was given is
available for creation.All other object types for eg: Process Integration Scenario Objects are not visble
in the dialog box.
Display User profile
The usage profiles, which are already created, are visible under the Configurations node in the
navigation tree.
We can also create usage profiles by right clicking on the Configurations node.
Figure 21: Create New Usage Profile
The third usage profile to be created is the DisplayUser_profile.
Figure 22: Create DisplayUser_Profile
In the Edit Usage Profile window,select the SWCVs used for the current project.
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 19/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 14
Figure 23: Edit DisplayUser_Profile
Go to the Object Types tab.Select only Visible Object Types checkbox for certain objects
Figure 24: Choose Object Types for DisplayUser_Profile
Click on Save button to save the Usage Profile.
Activate the Usage Profile.
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 20/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 15
Figure 25: Activate DisplayUser_Profile
Figure 26: Change List for DisplayUser_Profile
Now choose the DisplayUser_Profile Usage profile using the Change Filter Settngs->Change
Usage Profile option.
Go to any of the available Object Types under this profile.
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 21/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 16
Figure 27: Object is not editable under the current usage profile
As you can observe in the figure above, the information Object is not editable under current usage
profile appears
Now, click on Create Object icon in the navigation area.
As you can observe only the following objects can be created by a user who has selected the
DisplayUser_Profile.
Figure 28: Create New Object under DisplayUser_Profile
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 22/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 17
5. Edit AuthorizationsThis section talks about the Edit Authorization feature available in the ES Repository.This feature is
elaborated using Scenario 2.
Figure 29: Edit Authorizations
The Edit Authorization feature can be applied to a SWCV, namespace or a folder.The authorization is
checked based on hierarchy.First the system checks for the authorizations assigned to the folder, then
authorizations assigned to namespaces and software component versions.
You can define authorizations for a user,a group or a role.The user, defining the authorization, should
have Administrator rights.
Exchange Profile Configuration
For making use of the Edit Authorization feature, the exchange Profile parameter
com.sap.aii.ib.server.acl.enable has to be activated.
Goto Administration->Exchange Profile
Figure 30: Enable ACL property in Exchange Profile
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 23/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 18
5.1 Scenario 2 (Editing Authorization for Users)
For the scenario description, please refer to Section 1.2.
This scenario showcases how users can be restricted based on authorizations provided to them.
Login to the ES Repository with Administrator user.
Figure 31: Edit Authorization for the namespace
Choose menu option Tools-> Default Settings for Authorizations if you want to edit
default settings.
Right click on your namespace and select Edit Authorization option in the context menu. The default
settings for authorizations will be displayed in the Authorizations dialog box.Click on the Insert New
Authorization icon to add new authorizations.
In the Type column select User.In the Name column choose the user name( Mark) for whom the
authorization has to be assigned.In the Permissions column dialog box, and provide both Edit
Authorizations (gives permission to modify the authorizations assigned) and Write(gives
permissions to create,modify and delete objects) permissions to the user
Figure 32: Select Authorizations
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 24/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 19
Figure 33: Edit Authorizations dialog box
Click on Apply button.
Now Login with the second user Ron.
Note
This user should not have Administrator rights.
Figure 34: Log on to ES Repository
When this user tries to Edit any object under the namespace to which Edit Authorization was given,
the following message appears:
Insufficient authorization to change the object
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 25/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 20
Figure 35: Edit Service Interface: Insufficient authorization to change object
But if the first user Mark logs in to ESR
Figure 36: Log on to ES Repository
The same object can be edited with this user.
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 26/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 21
Figure 37: Edit Service Interface
5.2 Inherit Selective authorizationsFor inheriting authorizations assigned to the objects at a higher level, right click on the folder or
namespace for which you want to inherit authorization and select Edit Authorization from the context
menu.
Figure 38: Edit Authorizations
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 27/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 22
Figure 39: Inherit Selective Authorizations
Click on Inherit Selective Authorizations icon.Select the Authorizations required in the Select Selective
Authorizations dialog box.
Figure 40: Select Selective Authorization
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 28/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 23
Figure 41: Apply Edit Authorizations
Click on Apply button
5.3 Propagate authorizations to all SubstructuresTo propagate the authorizations assigned to the objects at a higher level, to all the substructures, right
click on the folder or namespace and select Edit Authorization from the context menu.
Figure 42: Edit Authorizations
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 29/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 24
Figure 43: Propagate All authorizations to Substructures
Click on the Propagate All Authorization to Substructures icon.
5.4 Scenario 3 (Edit Authorization for Usage Profiles)
In Scenario 1, you had seen how to restrict access using Usage Profiles. But, in this case, any user
can change to a different usage profile and access the ESR objects. To avoid this, in Scenario 3, theEdit Authorization option will be applied to Usage Profiles. In this way user can be controlled from
changing to Usage Profiles which are restricted for him/her.
For the scenario description, please refer to Section 1.2.
Administration Settings
To delete the default usage profiles assigned to a user, go to Administration->User Profiles
Select your user and click on Remove button.
Figure 44: Administration Personalization Information
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 30/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 25
Figure 45: Remove Personalization information
The Usage Profiles created earlier in Scenario1 are used in this Scenario.Right click on the
Developer_Profile under the node Configurations
Figure 46: Edit Authorizations for usage profiles
Select any user and enable Execute Report Permission for the user
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 31/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 26
Figure 47: Select Execute Report authorization
Figure 48: Apply Edit Authorizations
Click on Apply button
Now login with any other user (Ron)
Note
This user should not have Administrator rights.
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 32/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 27
Figure 49: Log on to ES Repository
You can observe in the Figure below that the Developer_Profile is not available for selection for this
user anymore.
Figure 50: Select Usage profile dropdown list
6. User Roles
User Roles can be created in ESR for providing different authorizations for ESR objects.The exchange
Profile parameter com.sap.aii.util.server.auth.activation has to be set to true for User Roles.
Exchange Profile Configuration
Goto Administration->Exchange Profile
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 33/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 28
Figure 51: Exchange profile settings for user roles
6.1 Scenario 4 (Assigning ESR Role to Users)
For the scenario description, please refer to Section 1.2.
Using this scenario you will be able to understand how to create ESR user roles and how Edit
Authorization can be used along with the newly created role.
Using user roles, the Administrator user can create a role depending on the project requirements.The
newly created role can be assigned to a user.In this way the user can be restricted from accessing
SWCVs and ESR objects.
The Edit Authorization feature discussed earlier, can also be applied to a ESR role.This will help in
restricting/providing ESR object access to a set of users who were assigned the newly created ESR
role.
Creating Roles
For creating User Roles, login to ES Repository with the Administrator user and goto menu option
Tools->User Roles->New
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 34/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 29
Figure 52: Create User role
Enter a name Test_Role and click on Create button
Figure 53: Create Test_Role
The Edit User Role window, click on the the Add Selection Paths button.There is an option of including
or excluding SWCVs and Object types for a particular role.
Figure 54: Edit User role
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 35/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 30
Select the SWCVs you want to include and click on OK button
Figure 55: Choose SWCV for the User role
There is an option of including or excluding object types.
Figure 56: Include/Exclude Object Types
By choosing the Any Type under Types column we choose the object types to be included or
excluded.
Figure 57: Choose Object Types
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 36/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 31
There is also an option of granting/excuding the permissions for certain actions by selecting the
actions in the Actions column
Figure 58: Choose actions for User Role
Figure 59: Save User Role
Click on Save button
Once the role is created it has to be activated.Choose the Activate User Role button.
Figure 60: Activate User Role
The already created user roles can be viewed by going to menu Tools->User Roles->Open
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 37/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 32
Figure 61: Open User Roles
The newly created role Test_Role appears in the list displayed.
Figure 62: Display User Roles
The ESR Role created, can be assigned to a user as described in the section Assigning the Role to
a User.
Define Edit authorization for Role
Users with the newly created role can be also be granted authorizations.
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 38/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 33
Figure 63: Edit Authorizations
Right click on the namespace and select Edit Authorizations from the context menu.
Figure 64: Select XIRep_Test_Role
Select the Type as Role and on selection of the available roles, the newly created ESR role
XIRep_Test_Role appears in the Select Role dialog box.Choose the Name as
XIRep_Test_Role and after selecting the required authorization click on Apply button.
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 39/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 34
Figure 65: Apply Edit Authorizations
Assigning the Role to a User
To assign the newly created ESR role to a user, login to the Netweaver Administrator of the PI system.
Navigate to Identity Management
Figure 66: Identity Management
Choose the user to which the role has to be asigned and click on Go button.
Note
This user should be available already in the system.
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 40/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 35
Figure 67: Select User in Identity Management
Select the user and Click on Modify button.Navigate to the Assigned Roles tab.
The already assigned roles are displayed under Available Roles.In the Search Criteria enter XIRep*
and click on Go button.
Select the XIRep_Test_Role and click on Add button.
Figure 68: Add XIRep_Test_Role
The added role now appears under the Assigned Roles.
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 41/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 36
Figure 69: Display Assigned Role XIRep_Test_Role
Figure 70: Save Assigned Roles
Click on Save button
Figure 71: Display Assigned Roles
Now login to the ESR with user to which the role was assigned.
Figure 72: Log on to ES Repository
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 42/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 37
Figure 73: Switch between display and Edit Modes
If the user now tries to edit objects which were excluded from editing for the Test_Role, the following
message appears:
Insufficient authorization to change object
Figure 74: Insufficient authorization to edit object
Also on trying to create a new object type which was excluded from having edit permission in the user
role, the same message is displayed.
Click on Create New Object button .
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 43/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 38
Figure 75: Create New Object
When the details are entered and the Create button is clicked the following error message appears:
Insufficient authorization to create object
Figure 76: Insufficient authorization to create object
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 44/45
How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1
September 2010 39
7. Appendix
7.1 Help Documentation
To configure Usage Profiles, see the documentation at
http://help.sap.com/saphelp_nwpi711/helpdata/en/48/5f809ba094501ae10000000a42189b/frameset.h
tm
http://help.sap.com/saphelp_nwpi711/helpdata/en/9e/30abd2358d4c8a8ba48a7f868cc54f/content.htm
7.2 SDN Referenceshttp://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/00a8defd-e400-2c10-faaf-
8049d83d1e94?QuickLink=events&overridelayout=true
7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1
http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 45/45
www.sdn.sap.com/irj/sdn/howtoguides