SAP Basis Tech Supports

Symptom

You want to restrict access to message payloads in message monitoring for adapter engines to certain types of messages, e.g. excluding special interfaces or including only messages from a certain sender.
Other terms

Runtime Workbench, RWB, Message Display Tool, MDT
Reason and Prerequisites

You have to create your own actions and group them to roles as described in the solution.
Solution

Attention: This note is deprecated if you are using the following versions of XI/PI:
XI 3.0 SP19, SP20, SP21 or SP22 after applying corrections from note 1162398XI 3.0 SP23 (and later SPs)XI 7.0 SP14 or SP15 after applying corrections from note 1162398XI 7.0 SP16 (and later SPs)XI 7.01PI 7.10 SP06, SP07 or SP08 after applying corrections from note 1162398PI 7.10 SP09 (and later SPs)PI 7.11 SP02 or SP03 after applying corrections from note 1162398PI 7.11 SP04 (and later SPs)any newer release than the above

In this case, please see note 1162399 (for releases 3.0 and 7.0x) or note 1370334 (for releases 7.10, 7.11 and higher) for a new description of how to set up payload security in Message Monitoring.
———————————
The solution described here, is not a general available part of our software. If you want to use it, please, contact SAP for further information.
You have to execute the following steps:
1. Define your own actions2. Group them to roles3. Create an XML document containing the definitions of 1 and 2.4. Deploy it to your server5. Modify the Exchange profile, such that the custom actions and roles are used.6. Assign the roles to users or groups

These steps are described in the following:
7. An action is identified by its name. It contains one permission, which is defined by a permission class, a name of a permission attribute and its value.a) The permission class is always com.sap.aii.mdt.util.MonitoringPermission.b) The name of a Permission is the fully qualified name of a message type, i.e. a tupel (partyName, service, interfaceNamespace, interfaceName), where wildcards and inequalities are allowed. Here are some examples:partyName=partyA, service=serviceA, interfaceNamespace=interfaceNamespaceA, interfaceName=interfaceApartyName=*, service=serviceA, interfaceNamespace=interfaceNamespaceA, interfaceName=interfaceA, service<>serviceA, interfaceNamespace=interfaceNamespaceA, interfaceName=interfaceA
Omitted attributes are regarded as *. For instance, the last example is equivalent to partyName=*, service<>serviceA, interfaceNamespace=interfaceNamespaceA, interfaceName=interfaceA.c) The value of a permission can be one of the following:
“execute”, “display”, “cancel”, “edit_header”, “edit_payload”8. You can group several actions to a role. This can either be done with an XML document (see below) or in the user admin WebUI, which is invoked with http://: /useradmin. There select Roles and follow the instructions in the UI.9. With the definitions in 1 and 2 you have to create an XML document, which contains all the necessary information. As a blueprint for such an XML file, you can use the standard XML document, which is included in the application (see attachment “actions.xml”). Please have also a look at the attached “examplerole.xml”. Please note, that the filename has to end with “role.xml” and that < has to be escaped as <.10. Now you have to deploy the xml file to your server. To do this, open the Visual Administrator, go to node server0->services->Configuration Adapter, and switch to edit mode. Then select the node cluster_data->server->persistent->com.sap.security.core.ume.service and press the Create button. In the pop-up window select file-entry and upload the file, you created in step 3 (see attached screenshot upload.jpg).11. Open the Exchange Profile (http://: /exchangeProfile). Select node RuntimeWorkbench and press “New Parameter”. Enter “com.sap.aii.rbw.server.auth.UME” as name and “true” as value and save your changes (see screenshot profile.jpg). After that you have to restart your server.12. Open the user administration (http://: /useradmin), group your actions to roles (if not already done in step 2) and assign the new role to your users and groups. Please note, that the standard roles have also to be assigned to your user or groups (cf. the standard user group SAP_XI_MONITOR_J2EE, e.g.).