How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1

7/21/2019 How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1

http://slidepdf.com/reader/full/how-to-setup-profile-based-authorization-in-esr-using-pi-71-ehp1 1/45

SAP NetWeaver

How-To Guide

How To Setup Profile Based

Authorization In ESR Using PI 7.1

EHP1

Applicable Releases:

SAP NetWeaver Process Integration 7.11 and higher

Topic Area:

SOA Middleware

Capability:

SOA Management

Version 1.0

Sep 2010



© Copyright 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or

transmitted in any form or for any purpose without the

express permission of SAP AG. The information contained

herein may be changed without prior notice.Some software products marketed by SAP AG and its

distributors contain proprietary software components of

other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are

registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel

Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,

OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP,

Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix,

i5/OS, POWER, POWER5, OpenPower and PowerPC are

trademarks or registered trademarks of IBM Corporation. Adobe, the Adobe logo, Acrobat, PostScript, and Reader

are either trademarks or registered trademarks of Adobe

Systems Incorporated in the United States and/or other

countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered

trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame,

WinFrame, VideoFrame, and MultiWin are trademarks or

registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks orregistered trademarks of W3C®, World Wide Web

Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems,

Inc., used under license for technology invented and

implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP

NetWeaver, and other SAP products and services

mentioned herein as well as their respective logos are

trademarks or registered trademarks of SAP AG in

Germany and in several other countries all over the world.

All other product and service names mentioned are the

trademarks of their respective companies. Data contained

in this document serves informational purposes only.

National product specifications may vary.

These materials are subject to change without notice.

These materials are provided by SAP AG and its affiliated

companies ("SAP Group") for informational purposes only,

without representation or warranty of any kind, and SAP

Group shall not be liable for errors or omissions withrespect to the materials. The only warranties for SAP

Group products and services are those that are set forth in

the express warranty statements accompanying such

products and services, if any. Nothing herein should be

construed as constituting an additional warranty.

These materials are provided “as is” without a warranty of

any kind, either express or implied, including but not

limited to, the implied warranties of merchantability,

fitness for a particular purpose, or non-infringement.

SAP shall not be liable for damages of any kind including

without limitation direct, special, indirect, or consequential

damages that may result from the use of these materials.

SAP does not warrant the accuracy or completeness of the

information, text, graphics, links or other items contained

within these materials. SAP has no control over the

information that you may access through the use of hot

links contained in these materials and does not endorse

your use of third party web pages nor provide any warranty

whatsoever relating to third party web pages.

SAP NetWeaver “How -to” Guides are intended to simplify

the product implementation. While specific product

features and procedures typically are explained in a

practical business context, it is not implied that those

features and procedures are the only approach in solving a

specific business problem using SAP NetWeaver. Should

you wish to receive additional information, clarification or

support, please refer to SAP Consulting.

Any software coding and/or code lines / strings (“Code”)

included in this documentation are only examples and are

not intended to be used in a productive system

environment. The Code is only intended better explain and

visualize the syntax and phrasing rules of certain coding.

SAP does not warrant the correctness and completeness of

the Code given herein, and SAP shall not be liable forerrors or damages caused by the usage of the Code, except

if such damages were caused by SAP intentionally or

grossly negligent.

Disclaimer

Some components of this product are based on Java™. An y

code change in these components may cause unpredictable

and severe malfunctions and is therefore expressively

prohibited, as is any decompilation of these components.

Any Java™ Source Code delivered with this product is only

to be used by SAP’s Support Services and may not be

modified or altered in any way.



Document History

Document Version Description

1.00 First official release of this guide



Typographic Conventions

Type Style Description

Example Text Words or characters quoted

from the screen. These

include field names, screen

titles, pushbuttons labels,

menu names, menu paths,

and menu options.

Cross-references to other

documentation

Example text Emphasized words or

phrases in body text, graphic

titles, and table titles

Example text File and directory names and

their paths, messages,

names of variables and

parameters, source text, and

names of installation,

upgrade and database tools.

Example text User entry texts. These are

words or characters that you

enter in the system exactly as

they appear in the

documentation.

<Example

text>

Variable user entry. Angle

brackets indicate that you

replace these words and

characters with appropriate

entries to make entries in the

system.

EXAMPLE TEXT Keys on the keyboard, for

example, F2 or ENTER.

Icons

Icon Description

CautionNote or Important

Example

Recommendation or Tip



Table of Contents

1. Business Scenario .......................................................................................................... 1

1.1

Introduction .............................................................................................................. 1

1.2

Scenario Description ................................................................................................ 2

2. Background Information ................................................................................................. 3

3. Prerequisites.................................................................................................................... 3

3.1 Roles ....................................................................................................................... 3

3.2 Software .................................................................................................................. 4

3.3 Relevant SAP Notes ................................................................................................ 4

4. Filters ............................................................................................................................... 4

4.1 Usage Profiles ......................................................................................................... 5

4.1.1

Scenario 1 (ESR Access Control using Usage Profiles)................................. 5

5. Edit Authorizations ........................................................................................................ 17

5.1 Scenario 2 (Editing Authorization for Users) ........................................................... 18

5.2 Inherit Selective authorizations............................................................................... 21

5.3 Propagate authorizations to all Substructures......................................................... 23

5.4 Scenario 3 (Edit Authorization for Usage Profiles) .................................................. 24

6. User Roles ..................................................................................................................... 27

6.1 Scenario 4 (Assigning ESR Role to Users) .............................................................. 28

7. Appendix ........................................................................................................................ 39

7.1 Help Documentation ............................................................................................... 39

7.2 SDN References ..................................................................................................... 39



How To Setup Profile Based Authorization In ESR Using PI 7.1 EHP1PI 7.1 EHP1

September 2010 1

1. Business Scenario

1.1 Introduction

Enterprise Service Repository (ESR) is a central repository for various design time objects and

Software Components Versions. Several users access the ESR for building services and models

based on their business requirements. Many a times a user logging into ESR do not make use of all

the available ESR objects as each user has a different purpose of using ESR.

For example, there may be a situation where ESR is used by users from different projects or modules.

Here, the need for a personalized development environment arises. Capability of restricting users

according to the project requirements also comes in handy. Assigning the user only a small subset of

the ESR objects also helps reducing complexity of the tool.

The following diagram gives an example of different users accessing the ESR objects:

Figure 1: ESR Access by multiple users

SAP NetWeaver Process Integration 7.1 EHP1 provides all of these capabilities. There are a variety of

features which enables the Administrator to manage the access for each user. Also, users can choose

the required object types to work with using Filters which are a part of ESR now. There is also a

provision of providing different kinds of access to different users or roles or groups.

Note

The Enterprise Service Repository is also referred as ESR or ES Repository in this

document.




September 2010 3

The following graphic depicts the scenario described:

.

Figure 2: ESR Access by multiple users

Note

Here the users can be assigned to any of the Usage Profiles depending on their usage of

ESR.

2. Background Information

This guide explains how to control the user access in ESR using PI 7.1 EHP1 and higher. Primarily

three areas are covered in this document.

1. Filters

2. Authorizations

3. Roles

3. Prerequisites

3.1 RolesUsers with the following roles are available for configuring the scenarios:

1. Administrator

(Include the roles SAP_XI_ADMINISTRATOR_J2EE and SAP_XI_CONTENT_ORGANIZER_J2EE )

2.Developer

(Exclude the roles SAP_XI_ADMINISTRATOR_J2EE and SAP_XI_CONTENT_ORGANIZER_J2EE

and should only have developer rights)




September 2010 4

3.2 Software

This guide makes the following assumptions:

SAP NetWeaver PI 7.1 EHP 1 or higher is installed.

The software component version SAP Basis 7.11 or higher content is imported to theES Repository.

3.3 Relevant SAP Notes1313190 - No usage profiles found during login process

4. FiltersThis section covers the usage of Filters in Enterprise Service Repository to simplify the UI for the ESR

user.

The Enterprise Service Repository provides an option to filter the object types by selecting the arrow

next to the piped symbol Change Filter Settings in the navigation area of the ESR.

Figure 3: Select Object Types

Using this feature the users can hide the objects according to their individual requirements.




September 2010 5

Figure 4: Choose Object Types

4.1 Usage Profiles

Depending on your requirement you need to choose a usage profile while logging into ESR.Usage

Profiles allows the administrator to define filters for ESR Objects.The advantages of Usage profiles

will be discussed using Scenario1.

Note

This guide assumes that SWCVs and some ESR objects like service interfaces and

message types are already available in ESR.

4.1.1 Scenario 1 (ESR Access Control using Usage Profiles)

For the scenario description, please refer to Section 1.2.

The user used for configuring the scenario should have Administrator roles (Please refer to Section

3.1.1)

For configuring this scenario three different usage profiles have to be created in the Enterprise Service

repository.

1. Admin_Profile

2. Developer_Profile

3. DisplayUser_Profile

Create Usage Profiles

Log on to the ES Repository with Administrator user. If you are logging on to the ES Builder for the

first time, the Select Usage Profile dialog box is displayed.Select the Unrestricted profile.This profile is

a part of the standard SAP Basis 7.11 content.

For creating the Usage Profile click on New button in the Navigation area of the ES Builder.

Figure 5: Create Object

The Create Object dialog box is displayed. Choose Usage Profile under Work Areas node.




September 2010 6

Admin_Profile

Figure 6: Create usage profiles

Enter the Name Admin_Profile,SWCV and Description.Click on Create button.

The Edit Usage Profile window opens.There are different options which helps the user to filter theSWCVs and objects and choose the Business Modelling Filters.Since this is the Admin_Profile there is

no restriction added to it.

Figure 7: Edit usage profiles

Click on Save button.Right click on the Admin profile and Activate it.




September 2010 7

Change Usage Profiles

For changing the Usage profile choose the arrow next to the Change Filter Settings button in the

navigation area of the ESR. Choose Change Usage Profile.

Figure 8: Change Usage Profiles

The Select Usage Profile dialog box opens.The Admin_Profile created appears in the dropdown

list.Choose Admin_Profile and click on Choose button.

Figure 9: Select Usage Profile

The user, who chooses this usage profile, will have access to all the ES Repository Objects




September 2010 8

Figure 10: Display available ESR objects

Developer_Profile

Similarly create Developer profile.

Figure 11: Create Developer_Profile

In the Edit Usage Profile window of the Developer_Profile choose any two SWCVs.For this, first the

Allow All Software Component Versions checkbox has to be deselected and Deselect All checkbox

has to be checked.




September 2010 9

Figure 12: Edit Developer_Profile

Go to the Object Types tab. Deselect the Allow All Object types checkbox.

Figure 13: Select Object Types for Developer_Profile

Select few object types and provide both Display and Edit permissions by selecting the Visible Object

types and Editable Object Types checkboxes.




September 2010 10

Figure 14: Select Editable Object Types for Developer_Profile

Click on Save button and Activate the Usage Profile.

Figure 15: Activate Developer_Profile




September 2010 11

Figure 16: Change List for Developer_Profile

Now change the Usage profile to Developer_Profile by choosing the Change Usage Profile option

Under the Change fIlter Settings in the Navigaton Area

Figure 17: Change Usage profile

Figure 18: Select Developer_Profile




September 2010 12

Now go to any object types for which edit permission was provided.for e.g. Service Interface and try

editing the object.The object should be editable.

Figure 19: Edit Service Interface

Also, click on the Create Object button in the navigation Area.The Create Object dialog box appears.

Figure 20: Create New Object




September 2010 13

As you can observe in the above figure, only the objects for which editable permission was given is

available for creation.All other object types for eg: Process Integration Scenario Objects are not visble

in the dialog box.

Display User profile

The usage profiles, which are already created, are visible under the Configurations node in the

navigation tree.

We can also create usage profiles by right clicking on the Configurations node.

Figure 21: Create New Usage Profile

The third usage profile to be created is the DisplayUser_profile.

Figure 22: Create DisplayUser_Profile

In the Edit Usage Profile window,select the SWCVs used for the current project.




September 2010 14

Figure 23: Edit DisplayUser_Profile

Go to the Object Types tab.Select only Visible Object Types checkbox for certain objects

Figure 24: Choose Object Types for DisplayUser_Profile

Click on Save button to save the Usage Profile.

Activate the Usage Profile.




September 2010 15

Figure 25: Activate DisplayUser_Profile

Figure 26: Change List for DisplayUser_Profile

Now choose the DisplayUser_Profile Usage profile using the Change Filter Settngs->Change

Usage Profile option.

Go to any of the available Object Types under this profile.




September 2010 16

Figure 27: Object is not editable under the current usage profile

As you can observe in the figure above, the information Object is not editable under current usage

profile appears

Now, click on Create Object icon in the navigation area.

As you can observe only the following objects can be created by a user who has selected the

DisplayUser_Profile.

Figure 28: Create New Object under DisplayUser_Profile




September 2010 17

5. Edit AuthorizationsThis section talks about the Edit Authorization feature available in the ES Repository.This feature is

elaborated using Scenario 2.

Figure 29: Edit Authorizations

The Edit Authorization feature can be applied to a SWCV, namespace or a folder.The authorization is

checked based on hierarchy.First the system checks for the authorizations assigned to the folder, then

authorizations assigned to namespaces and software component versions.

You can define authorizations for a user,a group or a role.The user, defining the authorization, should

have Administrator rights.

Exchange Profile Configuration

For making use of the Edit Authorization feature, the exchange Profile parameter

com.sap.aii.ib.server.acl.enable has to be activated.

Goto Administration->Exchange Profile

Figure 30: Enable ACL property in Exchange Profile




September 2010 18

5.1 Scenario 2 (Editing Authorization for Users)


This scenario showcases how users can be restricted based on authorizations provided to them.

Login to the ES Repository with Administrator user.

Figure 31: Edit Authorization for the namespace

Choose menu option Tools-> Default Settings for Authorizations if you want to edit

default settings.

Right click on your namespace and select Edit Authorization option in the context menu. The default

settings for authorizations will be displayed in the Authorizations dialog box.Click on the Insert New

Authorization icon to add new authorizations.

In the Type column select User.In the Name column choose the user name( Mark) for whom the

authorization has to be assigned.In the Permissions column dialog box, and provide both Edit

Authorizations (gives permission to modify the authorizations assigned) and Write(gives

permissions to create,modify and delete objects) permissions to the user

Figure 32: Select Authorizations




September 2010 19

Figure 33: Edit Authorizations dialog box

Click on Apply button.

Now Login with the second user Ron.

Note

This user should not have Administrator rights.

Figure 34: Log on to ES Repository

When this user tries to Edit any object under the namespace to which Edit Authorization was given,

the following message appears:

Insufficient authorization to change the object




September 2010 20

Figure 35: Edit Service Interface: Insufficient authorization to change object

But if the first user Mark logs in to ESR


The same object can be edited with this user.




September 2010 21

Figure 37: Edit Service Interface

5.2 Inherit Selective authorizationsFor inheriting authorizations assigned to the objects at a higher level, right click on the folder or

namespace for which you want to inherit authorization and select Edit Authorization from the context

menu.





September 2010 22

Figure 39: Inherit Selective Authorizations

Click on Inherit Selective Authorizations icon.Select the Authorizations required in the Select Selective

Authorizations dialog box.

Figure 40: Select Selective Authorization




September 2010 23

Figure 41: Apply Edit Authorizations

Click on Apply button

5.3 Propagate authorizations to all SubstructuresTo propagate the authorizations assigned to the objects at a higher level, to all the substructures, right

click on the folder or namespace and select Edit Authorization from the context menu.





September 2010 24

Figure 43: Propagate All authorizations to Substructures

Click on the Propagate All Authorization to Substructures icon.

5.4 Scenario 3 (Edit Authorization for Usage Profiles)

In Scenario 1, you had seen how to restrict access using Usage Profiles. But, in this case, any user

can change to a different usage profile and access the ESR objects. To avoid this, in Scenario 3, theEdit Authorization option will be applied to Usage Profiles. In this way user can be controlled from

changing to Usage Profiles which are restricted for him/her.


Administration Settings

To delete the default usage profiles assigned to a user, go to Administration->User Profiles

Select your user and click on Remove button.

Figure 44: Administration Personalization Information




September 2010 25

Figure 45: Remove Personalization information

The Usage Profiles created earlier in Scenario1 are used in this Scenario.Right click on the

Developer_Profile under the node Configurations

Figure 46: Edit Authorizations for usage profiles

Select any user and enable Execute Report Permission for the user




September 2010 26

Figure 47: Select Execute Report authorization


Click on Apply button

Now login with any other user (Ron)

Note

This user should not have Administrator rights.




September 2010 27


You can observe in the Figure below that the Developer_Profile is not available for selection for this

user anymore.

Figure 50: Select Usage profile dropdown list

6. User Roles

User Roles can be created in ESR for providing different authorizations for ESR objects.The exchange

Profile parameter com.sap.aii.util.server.auth.activation has to be set to true for User Roles.

Exchange Profile Configuration

Goto Administration->Exchange Profile




September 2010 28

Figure 51: Exchange profile settings for user roles

6.1 Scenario 4 (Assigning ESR Role to Users)


Using this scenario you will be able to understand how to create ESR user roles and how Edit

Authorization can be used along with the newly created role.

Using user roles, the Administrator user can create a role depending on the project requirements.The

newly created role can be assigned to a user.In this way the user can be restricted from accessing

SWCVs and ESR objects.

The Edit Authorization feature discussed earlier, can also be applied to a ESR role.This will help in

restricting/providing ESR object access to a set of users who were assigned the newly created ESR

role.

Creating Roles

For creating User Roles, login to ES Repository with the Administrator user and goto menu option

Tools->User Roles->New




September 2010 29

Figure 52: Create User role

Enter a name Test_Role and click on Create button

Figure 53: Create Test_Role

The Edit User Role window, click on the the Add Selection Paths button.There is an option of including

or excluding SWCVs and Object types for a particular role.

Figure 54: Edit User role




September 2010 30

Select the SWCVs you want to include and click on OK button

Figure 55: Choose SWCV for the User role

There is an option of including or excluding object types.

Figure 56: Include/Exclude Object Types

By choosing the Any Type under Types column we choose the object types to be included or

excluded.

Figure 57: Choose Object Types




September 2010 31

There is also an option of granting/excuding the permissions for certain actions by selecting the

actions in the Actions column

Figure 58: Choose actions for User Role

Figure 59: Save User Role

Click on Save button

Once the role is created it has to be activated.Choose the Activate User Role button.

Figure 60: Activate User Role

The already created user roles can be viewed by going to menu Tools->User Roles->Open




September 2010 32

Figure 61: Open User Roles

The newly created role Test_Role appears in the list displayed.

Figure 62: Display User Roles

The ESR Role created, can be assigned to a user as described in the section Assigning the Role to

a User.

Define Edit authorization for Role

Users with the newly created role can be also be granted authorizations.




September 2010 33


Right click on the namespace and select Edit Authorizations from the context menu.

Figure 64: Select XIRep_Test_Role

Select the Type as Role and on selection of the available roles, the newly created ESR role

XIRep_Test_Role appears in the Select Role dialog box.Choose the Name as

XIRep_Test_Role and after selecting the required authorization click on Apply button.




September 2010 34


Assigning the Role to a User

To assign the newly created ESR role to a user, login to the Netweaver Administrator of the PI system.

Navigate to Identity Management

Figure 66: Identity Management

Choose the user to which the role has to be asigned and click on Go button.

Note

This user should be available already in the system.




September 2010 35

Figure 67: Select User in Identity Management

Select the user and Click on Modify button.Navigate to the Assigned Roles tab.

The already assigned roles are displayed under Available Roles.In the Search Criteria enter XIRep*

and click on Go button.

Select the XIRep_Test_Role and click on Add button.

Figure 68: Add XIRep_Test_Role

The added role now appears under the Assigned Roles.




September 2010 36

Figure 69: Display Assigned Role XIRep_Test_Role

Figure 70: Save Assigned Roles

Click on Save button

Figure 71: Display Assigned Roles

Now login to the ESR with user to which the role was assigned.





September 2010 37

Figure 73: Switch between display and Edit Modes

If the user now tries to edit objects which were excluded from editing for the Test_Role, the following

message appears:

Insufficient authorization to change object

Figure 74: Insufficient authorization to edit object

Also on trying to create a new object type which was excluded from having edit permission in the user

role, the same message is displayed.

Click on Create New Object button .




September 2010 38

Figure 75: Create New Object

When the details are entered and the Create button is clicked the following error message appears:

Insufficient authorization to create object

Figure 76: Insufficient authorization to create object




September 2010 39

7. Appendix

7.1 Help Documentation

To configure Usage Profiles, see the documentation at

http://help.sap.com/saphelp_nwpi711/helpdata/en/48/5f809ba094501ae10000000a42189b/frameset.h

tm

http://help.sap.com/saphelp_nwpi711/helpdata/en/9e/30abd2358d4c8a8ba48a7f868cc54f/content.htm

7.2 SDN Referenceshttp://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/00a8defd-e400-2c10-faaf-

8049d83d1e94?QuickLink=events&overridelayout=true

http://help.sap.com/saphelp_nwpi711/helpdata/en/48/5f809ba094501ae10000000a42189b/frameset.htm





http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/00a8defd-e400-2c10-faaf-8049d83d1e94?QuickLink=events&overridelayout=true










www.sdn.sap.com/irj/sdn/howtoguides

How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1

Documents

Transcript of How to Setup Profile Based Authorization in ESR Using PI 7.1 EHP1