Protect generated integrated configuration from being edited

In this blog post you can learn, which configuration is required if you want to protect objects, which are generated during integration flow deployment.

Imagine following situation. As a rule you configure your PI using integration flows and made your changes in the Integration Designer. When an integration flow is deployed an integrated configuration and, if necessary, communication channels (only in case of embedded channels) are generated.

However from time to time it might happen, that integrated configuration or communication channel is changed directly in the Integration Directory despite the fact that this not the way how changes supposed to be done. All changes done in such way will get lost in case of a re-deployment of the integration flow.

In order to prevent unwanted direct changes you can protect generated objects in the Integration Directory. All generated objects (integrated configurations, communication channels generated out of an embedded channel) are stored in the folder called “Generated Objects for Integration Flows”. Therefore the solution is to assign ACL to the folder, so that users do not have authorization to edit objects which belong to the folder. On the other side, deployment still must work properly.

Execute following steps to enable folder protection:

1. Enable advanced access control list (ACL)

In the NWA -> Configuration -> Infrastructure -> Java System Properties select tab Services and choose “XPI Service: AII Config Service”. Set the value for following properties to true:

com.sap.aii.ib.server.acl.enable=true

com.sap.aii.ib.server.adv.acl=true.

It is important to enable both, basic and advanced ACL (property com.sap.aii.ib.server.adv.acl), otherwise integration flow deployment will not work.

2. Define ACL permissions in the Integration Directory

If basic ACL was already enabled before, you can skip this step and continue with 3.

In the Integration Directory go to menu Tools -> Default Setting for Authorization and maintain user permissions based on individual user name or roles/groups. It is recommended, that only few people (e.g. administrator) have “Edit Authorization” permission. This are the default settings, which are inherited to all objects / folders in the Integration Directory.

3. Remove the inherited permission for ‘Generated Objects’ folder

In the Objects tab switch to Folder view. Select the folder “Generated Objects for Integration Flow” and choose “Edit Authorizations” from context menu. Remove the selection “Inherit permissions from parent” and confirm the dialog.

If you now try to edit any object in the ‘Generated Objects’ folder you should get an error message:

However, deployment of the integration flow still should work without any issue.