Show TOC

Configuring OAuth 2.0 Token Context RevocationLocate this document in the navigation structure

Resource owners only have access to their own access tokens. They can only display and revoke their own tokens. Administrators can see their own access tokens and those that were issued by a number of users or by a specified user group. If several administrators are responsible for users who belong to organizational units, it makes sense to restrict access token revocation and display either by user or by user group.

Prerequisites

If you want to display or revoke OAuth 2.0 access tokens as a resource owner or administrator, you have activated the following services in (transaction SICF):

/sap/bc/webdynpro/sap/oauth2_revocation

This service enables a user to use access token revocation.

/sap/bc/webdynpro/sap/oauth2_revoke_adm

This service enables a user to use access token revocation in administrator mode.

Context

For an administrator to be able to display and revoke all kinds of tokens, he or she needs to have the following authorizations:

S_OA2_OBJ/Revocation

This is the authorization an administrator needs to start the transaction S_OAUTH2_REVOKE_ADM.

S_OA2_CL/CLIENT/03 for display

S_OA2_CL/CLIENT/02 for revocation

With this authorization, an administrator can display and/or revoke tokens that are assigned to certain OAuth 2.0 clients.

S_USR_GRP/CLASS/03 for display

S_USR_GRP/CLASS/22 for revocation

With this authorization, an administrator can display and/or revoke tokens that are assigned to a certain user group. Determine the user group in the User Maintenance tool (transaction SU01).

Note

The token revocation dialog does not explicitly display the user group, but an administrator sees all users that belong to this specific user group.
Note

If users do not have any of these authorizations and start the transaction for token context revocation, these users can only display and revoke their own token contexts (like a resource owner).

Procedure

  1. Start Role Maintenance (transaction PFCG).
  2. Select your administrator's role.
  3. Enter the relevant roles for token revocation.
  4. Save your changes.
    Tip For more information, see the SAP NetWeaver Library under Start of the navigation path Application Help Next navigation step Identity Management Next navigation step User and Role Administration Next navigation step Administration of Users and Roles Next navigation step User Administration End of the navigation path.