APC Security Features
There are some security aspects that you need to consider when creating ABAP Push Channels (APC) applications.
Virus Scan
For the APC, you can specify a virus scan profile for outgoing and incoming messages. This profile is used when the virus scan interface (VSI) runs checks.
Authorization Checks
Authorization Check for WebSocket Origin Header
WebSocket messages can usually only be handled if the WebSocket object is created using a file or website from the same address or domain. In other cases, you need to permit addresses or domains by creating entries in the table APC_CROSS_ORIGIN using transaction SAPC_CROSS_ORIGIN. Authorization for the fields of authorization object S_APC_ORIG is required.
Start Authorization Check
Since APC applications can establish connection to ABAP and non-ABAP systems, you may want to control which users can execute an APC application. Therefore, you need to enable a start authorization check by using the S_START authorization object.
Activate Start Authorization Check - (Administrator Activity)
The start authorization check is inactive by default when delivered. To restrict the execution of APC applications to certain users, you, as authorization administrator, can activate the start authorization check. To do so, remove the flag for the R3TR SAPC entry in table USOBAUTHINACTIVE using transaction SM30.
Before you activate the start authorization check, you must adjust the Profile Generator (PFCG) role that authorizes assigned users to start APC applications. You need to include the required APC applications in the role menu of the relevant user role.
Find more details on how to activate the start authorization check and adjust role menus in Authorization Checks.
Enable Start Authorization Check - (Developer Activity)
When programming an APC application, you, as developer, need to ensure that the application can be executed once the start authorization check is activated. Therefor you use start authorization object S_START.
Unlike other authorization objects, which you assign to applications by using transaction SU22 for SAP developments and transaction SU24 for customer developments,S_START is already assigned by default. Thus, when you add your APC application to a user role in PFCG, S_START is automatically included and the start authorization check is enabled. You do not need to insert start authorization object in roles manually.
This means, that you also do not need to change the status of the default proposal value for S_START in SU22 or SU24. The status must remain No. For more information, see Guidelines for Setting the Default Status paragraph in Editing Authorization Default Data (Development System).
Activation of ICF Services
Each APC application requires a path entry in transaction SICF. For security reasons, this entry is inactive by default. For an active usage of an APC application you need to activate the associated APC path in transaction SICF first. The path to an APC application is /sap/bc/apc/<name space>/<application name>. (e.g., /sap/bc/apc/sap/ping for the application PING).