Security Aspects of Process Orchestration

Business Communication

When Process Orchestration is installed on a system, the installation acts in two roles:

• As “integration broker” using the Process Integration runtime

  Process Orchestration uses the functions of the Advanced Adapter Engine Extended (AEX) and therefore the Advanced Adapter Engine as runtime component.

  More information on the security aspects of the integration broker: Business Communication

• As host for business components implementing applications based on SAP Business Process Management (BPM)

To explain in more detail how the components interact at runtime, the following section describes the sequence of message processing.

1. An external business system sends a message to the Process Orchestration system.

2. According to the settings of an integrated configuration (with a key that matches the message header address fields), a business component representing a BPM-based application is determined as a receiver. A communication channel based on the SOAP adapter with XI protocol is used for this.

   The user specified in the communication channel requires authorization to log on to the URL of the Java Proxy Runtime, as well as application-specific authorizations.

   In the case of an application based on BPM, it requires respective BPM security roles.

   In particular, the user specified in the communication channel requires the SAP_XI_APPL_SERV_USER security role to logon to the URL of the Java Proxy Runtime and for message processing, as well as the SAP_BPM_TRIGGER_EVENT role for raising start events or intermediate events of a business process.

3. The BPM-based application is executed after a process is started or a message is delivered to an intermediate event step.

   For more details, for example, the process role concept: Business Process Management Security Guide

4. When the process reaches an automated activity that uses XI as Service Reference Type , a message is handed over to the Process Integration runtime (AAE) again.

   In this communication step, the BPM-based application is represented as a sender business component, according to its configuration.

   • This hand-over is accomplished typically by the service user like the following: SAP_BPM_Service or, in case, Principal Propagation is used, the propagated user.

     More information: Principal Propagation

   • If you have configured Access Control List (ACL)-based authorizations for service users in the Integration Directory for the communication, you have to adapt them accordingly.

     More information: User Management and Authorization Concepts (AEX) under ACL-Based Authorizations

User Management and Authorization Concept

As a Process Orchestration system is based on Application Server (AS) Java, the general User Management concepts of the AS Java apply to both the Process Integration-specific concepts and the concepts of the installed components of the Composition Environment, mainly the BPM component.

More information: User Management of the Application Server Java

For the Process Integration-specific user management and authorization concepts, see: User Management and Authorization Concepts (AEX)

In particular, see the sections related to the AEX:

• User Management for the AEX (PI-AEX)

• Standard User (Java Single-Stack)

• UME Roles and Actions (AS Java)

For the BPM-specific concepts, see the corresponding sections of the Business Process Management Security Guide. In the Authorizations and Roles section, you can find a list with all roles and their corresponding authorizations needed for BPM.

Important configuration tasks in SAP NetWeaver Administrator require authorizations for the corresponding workspace (SAP NetWeaver Administrator under SOA  Application and Scenario Communication).

More information: Authorizations

Default User

During initial technical configuration of Process Orchestration, a default technical user is created that can be entered in communication channels addressing the local Java Proxy Runtime URL to connect to BPM processes. Its default name is PIBPMMSG<SID> , where <SID> is the System ID of the installation. The name can be changed during the initial setup. Roles SAP_XI_APPL_SERV_USER and SAP_BPM_TRIGGER_EVENT are assigned to the user.

Additional Roles

To expose SAP back-end data as OData services using the Gateway Java, you need additional roles with authorizations that determine access to applications. For more information, see Authorizations in Gateway to Access Applications.