Roles in the SAP Gateway Landscape

Use

SAP Gateway provides predefined roles as templates for developers, administrators, end users of the content scenarios, and support colleagues. You configure the roles based on the provided templates and assign users to the roles.

The role templates specify the authorizations for content that can be accessed by users of the specific consumer server application. Using the predefined roles in a specific application you can designate a user or a group of users as a unit, such as manager, employee, purchaser, supplier, and many more. These users have access to specific content and resources in that application.

User Types and Roles

You can find the complete list of role templates for SAP Gateway in User, Developer, and Administrator Authorizations.

Creating Roles for All Users to Access All Services Using the Profile Generator
To create roles to provide all users with access to all services, proceed as follows:
  1. In the SAP Gateway system, enter transaction PFCG to start role maintenance.
  2. Enter the name of the role /IWFND/RT_GW_USER.
  3. Choose Single Role to create the user role.
  4. Open the Menu tab and click on the arrow of the Transaction button to choose what you want to assign to the new user role, for example, transactions, reports, and Web addresses.
  5. Open the Authorizations tab and choose Change Authorization Data to specifiy a profile for the role. An input window may appear, depending on the activities you selected you are prompted to enter the organizational levels.
  6. Use input help (F4) to select the ID of the required service. If you enter a particular value in the dialog box, the authorization fields of the role are maintained automatically. If you want to enable all the services for a user or a user group, enter an asterisk * as the system automatically calculates a hash value and then provides a GUID when you enter an asterisk of a service name. The authorizations that are proposed automatically for the selected activities of the role are displayed on the next screen. Some authorizations have default values. Wherever traffic lights appear in the tree display, you must adjust the authorization values manually. You can maintain the authorization values by expanding the object classed and clicking on the blank fields displayed to the right of the authorization field name. Any authorizations that you define manually in this way are not overwritten when you copy more activities into the role and edit the authorizations again.
  7. Choose Generate. You are prompted to enter an authorization profile name. Return to the role maintenance screen.
  8. Open the Users tab and assign users or user groups to the role.
  9. Save your entries.

Where you require additional checks for backend services, implement the checks in the appropriate backend system.

Assignments of Authorization Objects

To use single SAP Gateway framework or application services, the user role needs to have the corresponding authorizations. The proposals can be found in transaction SU22.

  • In the SAP Gateway hub system, the repository objects are R3TR IWSG, and R3TR IWOM.

  • In the SAP Business Suite backend system all authorizations are collected in the repository object R3TR IWSV.

To assign authorization objects proceed as follows:

  1. In transaction SU22, set Type of Application to TADIR Service.

  2. Enter R3TR as Program ID.

  3. Enter IWSG as Object Type in an SAP Gateway hub system or IWSV as Object Type in an SAP Business Suite backend system.

  4. For the Object Name enter the actual service name, for example, /IWFND/SG_SAMPLE_USER_<version>.

  5. Choose Execute (F8).

    The authorization objects assigned to the TADIR service are displayed.

    Example

Currently, there are several services delivered by the SAP Gateway framework:

  • For productive usage

    For example, /IWFND/SG_MED_CATALOG. This is a service allowing exploration of the (framework or application) services exposed by the SAP Gateway framework.

  • Test applications provided by the SAP Gateway.

    For example, /IWFND/SG_SAMPLE_USER_<version>.

In addition to the authorizations maintained in the SU22 proposal, the role needs to have the authorization object S_SERVICE assigned with the following specifications:

Type of Application:

TADIR Service

Program ID:

R3TR

Object Type:

IWSG or IWSV

Object Name:

<Service Name>, for example, /IWFND/SG_MED_CATALOG

   

For maintaining services, that is, creating and registering services, two repository objects exist:

  • R3TR IWSV

    Logical transport object for the transport of an OData Channel Model Group in the IW_BEP component

  • R3TR IWMO

    Logical transport object for the transport of an OData Channel Model in the IW_BEP component to be in line with the transport concept of an OData Channel Service

This coherent transport concept allows you to assign authorizations to users in the backend system which can differ from the authorizations that the corresponding user can have in the SAP Gateway hub system.

More Information

For more information, see User and Administrator Authorization.