XI : Controlling access to Sensitive Interfaces
Scenario : You have created an enterprise webserive for retrieving sensitive customer information for pushing the data to a particular customer. You want to restrict the usage of this webservice to a particular service user. Issue : Security plays an important role in XI. Standard service users with role SAP_XI_APPL_SERV_USER can be created for communicating with XI. But there is an inherent problem here, any user with the role SAP_XI_APPL_SERV_USER will be able to consume all defined interfaces. Hence there is a need to be able to prevent people from requesting the services of an security sensitive interface. Solution : Since SP13 a new feature called Access Control Using Assigned Users has been introduced, where for a given sender service of type business service or business system, we can now restrict access to particular users. During Runtime the user credentials are verfied to ensure that the messages sent using the specified sender are in the assigned users list of that sender. Confusing… Let us take things one step at time. Step 1: Create a Business Service “Test” 
Step 2: Create a Sender SOAP comnnication channel “SenderSOAP_test”
Step 3: Edit Business Service “TEST”, choose the tab Assigned Users and add the user who can send messages 
Step 4: finish all the configuration, generate the wsdl, generate proxies from the wsdl and make the webservice call. Use XIAPPLUSER in credentials of the webservice. when the call is made, you will get a soap exception
Step 5: At runtime , the user entered in TEST service (in Integration Directory) is compared with the user used to send the message. Messages are processed without errors only if both users are identical. In our case since the users are different, an ACCESS CONTROL EXCEPTION is generated as shown in the figure below
Snapshot of webservice response from XI 
Conclusion : Access Control using Assigning Users is a very powerful feature for enforcing additional security. In this weblog i have used it in a webservice scenario, but it can be used with any of the following sender adapters XI Adapter Plain HTTP Adapter RFC Adapter IDoc Adapter SOAP Adapter SAP Business Connector Adapter Find more from online help on Access Control
Step 2: Create a Sender SOAP comnnication channel “SenderSOAP_test” Step 3: Edit Business Service “TEST”, choose the tab Assigned Users and add the user who can send messages Step 4: finish all the configuration, generate the wsdl, generate proxies from the wsdl and make the webservice call. Use XIAPPLUSER in credentials of the webservice. when the call is made, you will get a soap exception Step 5: At runtime , the user entered in TEST service (in Integration Directory) is compared with the user used to send the message. Messages are processed without errors only if both users are identical. In our case since the users are different, an ACCESS CONTROL EXCEPTION is generated as shown in the figure below Snapshot of webservice response from XI Conclusion : Access Control using Assigning Users is a very powerful feature for enforcing additional security. In this weblog i have used it in a webservice scenario, but it can be used with any of the following sender adapters XI Adapter Plain HTTP Adapter RFC Adapter IDoc Adapter SOAP Adapter SAP Business Connector Adapter Find more from online help on Access Control
Is there a way to provide the same feature based on "roles" instead of "users"?
Tx againd! And keep blogging 🙂
roberti