cancel
Showing results for 
Search instead for 
Did you mean: 

Users in R/3 backend for MAM

Former Member
0 Kudos

(I'm sorry if this question is repeated, I've tried to post it 2 times already but it returns an error. Hope this time it goes)

Hi,

I am installing and configuring a MAM application (WebAS 6.40 SP13, MAM 2.5 SR2) scenario. We user for backend a SAP R/3 4.6c with PI 2004.1.

I have some doubts about users for using MAM. What I gathered so far is that I'll need the following users in R/3:

-A service user for accessing RFCs in order to connect MI (middleware) do R/3

-One user in R/3 for each front-end MAM user

These are all the users I will need in the backend, right? Also, I am not sure which type of authorizations they will need.

Quoting MI Installation Guide, the user to connect the middleware to R/3 "must have authorization for all SAP MI-specific function groups contained in table BWAFMAPP". What are the authorization objects for this user profile?

The same for the individual MAM users. Each one will need a user with the same name in the backend, but what type of authorization will they need? Do they need to be dialog users or can they be service users?

Regards,

Daniel Franulovic

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Daniel:

I could understand that you had some issues in posting this topic.Because i got your First Message in my E-Mail but not able to trace that in the MI Forum.That is fine.

Here are the 3 different checks you have to look at"Users & Authorizations" for setting up your MAM Users.

(1) Backend:

(1a) The SAP MAM User who synchronizes with the Backend from the MI Client should have all necessary authorizations for Plant Maintenance Components of the SAP System that are associated with your MAM Scenarios.Pl refer to the following Authorization Objects I_ALM_ME ,I_AUART,I_BEGRP,I_BETRVORG,I_CCM_ACT ,I_CCM_STRC,I_ILOA,I_INGRP,I_IWERK,I_KOSTL ,I_QMEL,I_ROUT ,I_ROUT1,I_SOGEN,I_SWERK,I_TCODE ,I_VORG_MEL,I_VORG_MP ,I_VORG_ORD,I_WPS_MEB ,I_WPS_REV in your Backend System and have it assigned to the User Profile, based on your requirement.

(1b) Service User for setting up the MAM & MI Landscape: This user logon info has to be setup in the RFC Destination that is associated with your MAM25 SyncBOs, to logon to the Backend System and this user should have the basic authorizations required to establish the connection.

(2) MI Middleware: The SAP MAM User who synchronizes with the Backend from the MI Client should have the following Authorization Objects assigned to his/her profile. S_ME_SYNC, S_RFC, S_TCODE.

(3) MI Client: Refer to MI Security Guide.As discussed earlier,note that the MI Client MAM User is same as the Middleware User and the Backend User.

Let me know, if you are looking for anyother additional info.

Thanks

Gisk

Former Member
0 Kudos

Thanks a lot Gisk,

The only thing that I still don't know is what are the "basic authorizations required to establish the connection" in (1b). The MI installation manual says that this user must have authorization for all SAP MI-specific function groups contained in table BWAFMAPP, but it does not say which authorization objects are related to this.

Regards,

Daniel

Former Member
0 Kudos

Hi Daniel:

As for i have understood this Service User(defined in 1b of my previous post) should have the Authorization to execute the RFC programs especially the WAF* Function Modules, that falls in the function groups BWAF*.

The authorization for this is setup with the Authority Object S_RFC(Under Object Class AAAB-Cross Application Authorization Objects) with ACTIVITY = 16(Execute),where in you set the "Name of the RFC to be protected" for the RFC Type "Function Group".As long as the Function Groups that has value starting with "BWAF*" is not restricted here, you should be good to go.

So in your Backend create a Role with this Authorization Profile and have this profile assigned to the service user you have created.It think this should be it.

Let me know the results.

Thx

Gisk

Message was edited by: Gisk

Message was edited by: Gisk

Former Member
0 Kudos

Hi Gisk,

I tried that and thought it had solved my problem, but then some errors started happening when synchonizing. I am almost going for a SAP_ALL user...

Thanks,

Daniel

Former Member
0 Kudos

Hi Daniel!

Was the issue related to authorization or a different one?Did SAP_ALL solved your problem?

Thx

Gisk

Former Member
0 Kudos

It was related to authorization. SAP_ALL solved my problem, but I doubt I'll be able to use this solution in production...

Former Member
0 Kudos

Hi Daniel!

Good that your problem is solved with SAP_ALL and now you are sure that it is a SAP Authorization Issue.Did you check the setup for "MeRep Handler job of synchronization messages" in MEREP_PD, under Runtime Component for Handler.

Any have If you schedule a background job for the Handler, the messages that were not processed immediately due to to limit the number of simultaneous handler processes in order to control system performance, some messages from the client device are not processed immediately when being received by the server.In the case that allow batch-user in MEREP_PD is set, the handler is kicked using the batch user and this will be used to access the backend system

In the case that no allow batch-user in the MEREP_PD is set, the handler is kicked using the user name, which is used for the logon to the WAS from the client device (THIS IS THE CASE WHEN THE USER NAME USED IN A DEVICE CAN BE OBTAINED WITHIN THE BAPI WRAPPER IN CASE OF 2-WAY SYNCBO).Hence this user this user needs appropriate authorizations in both the SAP Web AS and in the backend system where the application data resides.

Probably this is causing the problem.You can check this and see if this resolves the issue to get rid of SAP_ALL.

Thx

Gisk