cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MII Security Issues

Former Member

on ‎06-10-2011 7:37 PM

0 Kudos

Hi,

I am having issues with security on my MII systems. I am wondering how many levels of security there are on MII projects. I know that there is the user level security. I have Admin, Developer, and User roles on the system via ABAP/UME. I have checked the actions of each of the roles have the following assigned: XMII_Full_Access, XMII_Developer, XMII_User, and XMII_Read_Only.

I know that there is transactional security. But what levels does the transactional security apply to? Does transactional security apply to project level, a specific folder level, or just individual transactions?

I have heard about template security, but have not found out how to change/modify this. Help here would be appreciated.

Are there any other security levels that I haven't mentioned above?

The reason that I am asking these questions is that I am seeing the error '<user> is not assigned to a role that can perform this action' much too often. As I mentioned above I should have full access on MII though my admin role. I also guess some of my problems have to do with the fact that we aren't assigning the default roles to our users, but instead get permissions through abap roles and ume. Therefore is there a way to change the default roles that are assigned to transactional security so it doesn't have to be changed every time?

Having Admin (full access) abilities on MII, is there a way to change transactional security on objects that I can't open? (I'm guessing my roles aren't in the read/write transactional security for the object)

I am currently working on a system that uses MII 12.1.8.28.

I have tried searching through the SDN for this information, but haven't found anything that answers my questions. Any help would be greatly appreciated. I'm new to MII so sorry if this was a simple question. Just trying to get a better understanding of how security is handled.

Justin

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

jcgood25
Active Contributor
‎06-10-2011 9:18 PM
0 Kudos

The read only role may be causing you problems when in conjunction with the standard roles. I believe it's mentioned in one of the guides on service marketplace (Security or install - not sure), but wIthout at least the XMII User role you really don't have the blanket level of security to do much of anything.

Query Template, Display Template, and Transaction based Reader and Writer Roles are all configured within the individual objects themselves in the workbench. Look for the security option tab or category (lower left) or in the top menu options.

Data servers also have Role based security, but the permission errors you receive if a user does not have access to use a connection like Northwind are quite intuitive.

Show replies
Show replies
Former Member
‎06-15-2011 5:17 PM
0 Kudos

Hi Jeremy,

Thanks for the reply.

I tried removing my read_only role and actions. However I am still receiving the "<user> is not assigned a role that can perform this action" message. Do you have any other suggestions on how to fix this?

Since I have the "XMII_Full_Access" permissions I feel that I should be able be able to open up a template or transaction and change the template or transactional security. But this appears to not be the case for template security.

Help/suggestions would be appreciated.

Thanks,

Justin

Former Member
‎06-16-2011 7:24 AM
0 Kudos

Justin,

What action triggers this message? When you try and modify transations & templates?

Also from a roles perspective are you a SAP_XMII_Super_Administrator?

Thanks

Udayan

Former Member
‎06-16-2011 2:22 PM
0 Kudos

Hi,

I get this message when I double click on a template, in the navigation pane, to try and open it.

I do not have the SAP_XMII_Super_Administrator role. But when I look at the SAP_XMII_Super_Administrator role its action is XMII_Full_Access. I do have the XMII_Full_Access action. (via custom roles) Two actions I found that I don't have are "XMII_Administrator" and "XMII_Workbench_all". Are either of these roles more powerful than "XMII_Full_Access"?

Thanks.

Justin

Former Member
‎06-16-2011 2:44 PM
0 Kudos

Hi,

Let me ask you this.

Like Jeremy mentioned above, in addition to this custom role , you do have the SAP_XMII_User role assigned to the user id , right?'

Ideally XMII_Full_Access should cover everything , but because you have a custom role , I am not sure how it'll behave.

Thanks

Udayan

Former Member
‎06-16-2011 2:49 PM
0 Kudos

Yes I have a custom role assigned to me with the "XMII_User" action.

I will report back with the results of my test of the other 2 actions.

Former Member
‎06-21-2011 8:00 PM
0 Kudos

I was able to get the following actions applied to my userID "XMII_Administrator" and "XMII_Workbench_all". They had no affect. Does anybody have any other suggestions? If not I guess I will need to open up an OSS message.

Thanks.

jcgood25
Active Contributor
‎06-23-2011 12:23 AM
0 Kudos

What do you have for the problemmatic user http://server:port/XMII/PropertyAccessServlet?Mode=List (see IllumLoginRoles)

The default Reader Roles for transactions and templates are XMII_XXXX Role based - actions would be secondary and more specific permisison or restriction based. If you do a new template in the workbench you will see the built in roles that are pre-established for templates.

Former Member
‎06-23-2011 7:25 PM
0 Kudos

IllumLoginRoles 'ME_JU_MII_USER','DV_JU_NWA_READ_ONLY','BC_JU_CEN_BASIS_ADMIN','Everyone','BC_JU_DIV_BASIS_ADMIN','Administrator','DV_JU_NW_LOG_VIEWER','ME_JU_MII_ADMIN','ME_JU_MII_DEVELOPER'

Is there a way to edit the default template roles?

I have opened up a message with SAP on this...

jcgood25
Active Contributor
‎06-23-2011 7:33 PM
0 Kudos

Have you seen the top of page 15 in the installation guide? http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000717691&_SCENARIO=01100035870000000202&_O...

Former Member
‎06-23-2011 7:50 PM
0 Kudos

Thank you for the link to the guide. It says "You must assign all users to the SAP_XMII_User role." This can be done, but what I don't understand is why specific roles have been hardcoded into MII. Is there a plan to remove this hardcoding and instead utilize actions? Or at least provide users the ability to define default roles.

I currently have all users assigned to the XMII_users action. I am guessing according to this document that the action isn't sufficient.

Edited by: Justin M Brown on Jun 23, 2011 8:50 PM

jcgood25
Active Contributor
‎06-23-2011 7:56 PM
0 Kudos

Actions are suitable for granular control of features and specific user 'actions', but were first introduced along with NW's UME in 12.1. Prior to this the MII related Services were secured by Role(s), just like you can still see with Data Server permissions.

Everything was Role based, which is also why the templates and the customer base would have evidenced in their applications. Actions were introduced to provide you R/W/D granularity, where previously you were either a Developer/Admin or basic User and if you wanted to provide access to the WB or one of the Admin menu screens it was full access.

The mandate for assignement to the base Users role will give you the blanket level of capability needed to exist in the MII world, but if you want to further restrict actions you still have the option.

Ask a Question