Show TOC

7.8.2 Defining Whitelist in HTTP_WHITELIST in ABAP Back-EndLocate this document in the navigation structure


For NWBC, the generic table HTTP_WHITELIST in the ABAP system has been extended with the entry_type NWBC. With this, an administrator can specify that URLs that are included in roles or that are displayed in the side panel are to be trusted. You can access table HTTP_WHITELIST in transaction Data Browser ( SE16).

The syntax is as follows:


To enable navigation links of a system in table HTTP_WHITELIST, in the HOST field, you must either specify the domain (for example, * or all application servers for a more restrictive access.


NWBC is version 3.5 or higher and is connected to ABAP 7.03/7.31 or higher.


A typical example of a whitelist entry looks like this:

Example of whitelist entry

In this example, every application that resides in * is to be trusted in NWBC. Value 0 for port means any port. Table HTTP_WHITELIST does not contain any entries and allows access to the connected system. This corresponds to a single entry *://<fully-specified-system host>:*/*. That is, navigation to targets in the same system is allowed, but navigation to external targets is not allowed by default. An example for an external target is To allow navigation to external targets, make entries in table HTTP_WHITELIST.


You must enter 03 for ENTRY_TYPE in back ends < 7.03 directly as this value is not available in the value help.

The following table shows example entries:




Any machine in the domain, any port, and any path are valid.*

The same machine, any port, and any path are valid.*

The same machine, the given port, and any sub-path are valid.

To match local files, a whitelist entry using the file: protocol is needed. For example, to allow access to all documents in c:\temp, the corresponding whitelist entry is file:///c:/temp/*.

In table HTTP_WHITELIST use:

PROTOCOL = “file”

HOST = “” <leave empty>

POST = “” <leave empty or 0>

URL = “c:/temp/*”

However, while technically possible, you should consider if access to a local resource makes sense. Documents specified in your role tree (for example, using transaction Role Maintenance ( PFCG)) must be available on all end-user machines and under the same path.