Do you know about this hidden feature in SAP PO ?
INTRODUCTION
Integration consultants develop interfaces that will seamlessly connect and integrate data between systems. As part of their job, consultants can view payload/data i.e., being exchanged between two systems. Though it is important to have access to view data transformation in SAP PO for debugging issues in case of failures but in some situation’s, clients may also want to restrict that access for few interfaces.
WHY DO WE HAVE REQUIREMENT TO RESTRICT ACCESS?
You might wonder, when consultants need to have access in what circumstances one will implement this functionality. Some of the examples are, in the PO landscape there can be some interfaces which may contain sensitive client information, payroll information, account number, credit card number or PO box may be shared between two different projects supported by different teams. Using this feature, we can restrict access to that specific interface or set of interfaces, while allowing them to view data for other interfaces.
HOW TO ACHIEVE THIS REQUIREMENT ?
It is a known fact that to access SAP PO system and perform any taskaction we need to have the necessary privileges. The standard SAP actions and roles cannot limit access to user based on interfaces. In other words, if user has access to Message Monitoring, they can view messages of all interfaces without any restriction but if user does not have access, they will not be able to view any message.
Since our requirement is a combination of both, we will develop a role that will allow custom actions and roles to achieve the requirement.
Some of the standard SAP roles that we use commonly are:
When we implement custom roles, the above standard roles would become obsolete and are only limited to give access to monitoring tools like Message Monitoring, Communication Channel Monitor etc…
To define our own rules, we must understand meaning of actions and roles. An action is nothing but a set of permissions, each action gives permission to perform some operations like cancel a message, resend a message, view payload/data of message, deny permission to cancel and so on. Actions can be grouped as roles. When we create custom actions, we need to keep in mind new interfaces that can be added to landscape and create custom actions accordingly otherwise we might have to modify the rules on a regular basis.
We have two users A and B who have access to SAP PO systems, as part of requirement our USER A must have access to all interfaces whereas USER B can view all interfaces except Payroll Interface.
TEST RESULTS
For USER A we can use any standard role provided by SAP that has payload_all action, so this user will be able to view payload for all interfaces including the sensitive interface.
Now, logged in with USER B and payload tab is disabled for only sensitive interface but user can view payload for other interfaces.
Below screenshot, is the sensitive interface and we can see the pop up at the top:
PFB screenshot where we can see that user is able to view payload for other interfaces :
CONCLUSION
This is quite an easy way to restrict access for interfaces that contain sensitive data, as we can limit access based on namespace or business systems. The only drawback is if a message fails due to mapping issue in PO for which access is restricted, user must depend on someone who has access as it is important to test the message mapping in PO to resolve the issue.
REFERENCES
To implement this feature, please refer to the below links for detailed description:
