Skip to content

Access Restriction

This section contains information on how to set up access restrictions. Xtract Universal.iQ allows you to restrict access to:

  • the server that receives and executes service calls
  • the web UI that is used to create and manage connections and services
  • specific services and / or connections

Enable Access Restrictions

To restrict access to the web UI and the server.

  1. If no users exist, create a new user.
  2. Enable Transport Layer Security to secure the connection to the web UI.
  3. Restart the Xtract Universal.iQ container and connect to the web UI using an HTTPS connection.
  4. Navigate to the Access Control menu.
  5. Set the Server Access to Authenticated.
  6. Assign access rights to users.

When connecting to the web UI, you are prompted to enter user credentials.

Tip

To use SAP credentials for basic authentication when calling services, activate the option in the SAP connection settings. Using SAP credentials and custom user credentials for basic authentication in parallel is not supported.

Disable Access Restrictions

To disable all access restrictions:

  1. Navigate to the Access Control menu.
  2. Set the Server Access to Anonymous.
  3. Click [Save].
  4. Restart the Xtract Universal.iQ container.

You can connect to the web UI or run services without providing user credentials.

Assign User Rights

To assign access rights to users:

  1. Navigate to the Access Control menu. The Privileges section lists all existing users.
  2. Select a restriction level from the dropdown list next to the username to assign one of the following restriction levels.

    Restriction Level Description
    Server Admin No restrictions.
    Create / Modify The user can login to the web UI, create new connections and services, and modify existing ones. The user cannot make changes to users, access control, or the Xtract Universal.iQ settings.
    Read / Execute The user can login to the web UI, but cannot make any changes. The user can run services.
    No access The user can not login to the web UI or run any services. This option can be used to temporarily disable users from using Xtract Universal.iQ.
  3. Click [Save].

  4. Restart the Xtract Universal.iQ container.

The user now has the assigned access rights.

Service Level Access

By default services inherit access restrictions from the server level. You can restrict user access on the service level, e.g., to temporarily disable users from running a service.

Note

When access rights from the server and service levels differ, the more restrictive access right applies, e.g., a user with Read/Execute privilege on the server level cannot be upgraded to Modify on the service level. Users with Server Admin rights are not affected by service level restrictions.

To restrict access to a specific service:

  1. Open the Services menu.
  2. Select one or more services.
  3. Click [More > Access Control]. The service access settings open.
  4. Set Service Access to Custom.
  5. Click + Add to look up users and user groups. The "Add User/Group" menu opens.
  6. Enter the name of a user or user group in the search bar and click [Search]. All matches are displayed in the list below.
  7. Select a user or user group from the list. The "Add User/Group" menu closes and the user or user group is added to the access control settings.
  8. Click the icon buttons in the Read and Modify columns of a user or user group to switch between granting access () and denying access (). The following user rights can be assigned:

    Restriction Level Description
    Modify The user can read, run and modify the service.
    Read The user can read and run the service.
  9. Click [Save].

When running the service, users are prompted to enter user credentials (basic authentication).

Tip

Click [Reset permissions] to set all user rights to No Access.

Connection Level Access

By default connections to SAP source systems or destinations inherit access restrictions from the server level. You can restrict user access on the connection level to ensure that critical settings for specific source or target systems can only be modified by trained users.

Note

When access rights from the server and connection levels differ, the more restrictive access right applies, e.g., a user with Read/Execute privilege on the server level cannot be upgraded to Modify on the connection level. Users with Server Admin rights are not affected by destination level restrictions.

To restrict access to a specific connection:

  1. Open the Connections menu.
  2. Select one or more connections.
  3. Click [More > Access Control]. The connection access settings open.
  4. Activate the checkbox Restrict access to the following users/groups.
  5. Click + Add to look up users and user groups. The "Add User/Group" menu opens.
  6. Enter the name of a user or user group in the search bar and click [Search]. All matches are displayed in the list below.
  7. Select a user or user group from the list. The "Add User/Group" menu closes and the user or user group is added to the access control settings.
  8. Click the icon buttons in the Read and Modify columns of a user or user group to switch between granting access () and denying access (). The following user rights can be assigned:

    Restriction Level Description
    Modify The user can read and modify the connection settings.
    Read The user can read the connection settings.
  9. Click [Save].

Only users with Modify rights can change connection settings.


Last update: July 3, 2026