Defining Operation-Specific Security Authorizations for Web Services 
The Web service runtime executes an authority check for every Web service invocation; this is similar to authority checks for starting a transaction or remotely calling an RFC function. For Web service calls, the authorization object S_SERVICE is used. Users are granted permissions by assigning the Web service operations to a role in transaction PFCG.
Due to a length restriction, the fields of authorization object S_SERVICE cannot include a meaningful name of the Web service and of the operation. Therefore, the Web service authorizations cannot be manually assigned to a role, but must be assigned through transaction PFCG. Instead of Web service name and operation names, the fields include only hash values. For each combination of Web service name and operation, a hash value is generated the first time a Web service call is performed, based on the specific authorization.
In order to be able to maintain operation-specific authorization for Web service calls, you need to know the hash values for the different combinations of Web service and operation.
Procedure
To find out the hash values for operation-specific Web service authorizations, you perform the following steps:
Activate the authorization trace using transaction ST01.
Choose
Trace 
Switch on Trace 
.More information: System Trace
Call the Web service in question. Users with role SAP_BC_WEBSERVICE_CONSUMER have permission to call all Web services.
Assign the Web service operation to a role by using transaction PFCG.
More information: Role Administration
Note
In a later step, user administrators define authorization profiles for different users of a system by associating the users with a role. A role contains a specific combination of authorizations.