Skip to Content
Scenario : You have created an enterprise webserive for retrieving sensitive customer information for pushing the data to a particular customer. You want to restrict the usage of this webservice to a particular service user.  Issue : Security plays an important role in XI. Standard service users with role SAP_XI_APPL_SERV_USER can be created for communicating with XI. But there is an inherent problem here, any user with the role SAP_XI_APPL_SERV_USER will be able to consume all defined interfaces. Hence there is a need to be able to prevent people from requesting the services of an security sensitive interface.  Solution : Since SP13 a new feature called Access Control Using Assigned Users has been introduced, where for a given sender service of type business service or business system, we can now restrict access to particular users. During Runtime the user credentials are verfied to ensure that the messages sent using the specified sender are in the assigned users list of that sender.  Confusing… Let us take things one step at time.  Step 1: Create a Business Service “Test” image Step 2: Create a Sender SOAP comnnication channel “SenderSOAP_test”image Step 3: Edit Business Service “TEST”, choose the tab Assigned Users and add the user who can send messages image Step 4: finish all the configuration, generate the wsdl, generate proxies from the wsdl and make the webservice call. Use XIAPPLUSER in credentials of the webservice. when the call is made, you will get a soap exceptionimage Step 5: At runtime , the user entered in TEST service (in Integration Directory) is compared with the user used to send the message. Messages are processed without errors only if both users are identical. In our case since the users are different, an ACCESS CONTROL EXCEPTION is generated as shown in the figure belowimage Snapshot of webservice response from XI image Conclusion :  Access Control using Assigning Users is a very powerful feature for enforcing additional security. In this weblog i have used it in a webservice scenario, but it can be used with any of the following sender adapters           XI Adapter           Plain HTTP Adapter           RFC Adapter            IDoc Adapter           SOAP Adapter           SAP Business Connector Adapter  Find more from online help on Access Control
To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. waldemar roberti
    Tx for the tip, is very usefull.
    Is there a way to provide the same feature based on “roles” instead of “users”?

    Tx againd! And keep blogging 🙂

    roberti

    (0) 

Leave a Reply