Resource owners only have access to their own access tokens. They can only display and revoke their own tokens. Administrators can see their own access tokens and those that were issued by a number of users or by a specified user group. If several administrators are responsible for users who belong to organizational units, it makes sense to restrict access token revocation and display either by user or by user group.
If you want to display or revoke OAuth 2.0 access tokens as a resource owner or administrator, you have activated the following services in (transaction SICF):
/sap/bc/webdynpro/sap/oauth2_revocation |
This service enables a user to use access token revocation. |
/sap/bc/webdynpro/sap/oauth2_revoke_adm |
This service enables a user to use access token revocation in administrator mode. |
For an administrator to be able to display and revoke all kinds of tokens, he or she needs to have the following authorizations:
S_OA2_OBJ/Revocation |
This is the authorization an administrator needs to start the transaction S_OAUTH2_REVOKE_ADM. |
S_OA2_CL/CLIENT/03 for display S_OA2_CL/CLIENT/02 for revocation |
With this authorization, an administrator can display and/or revoke tokens that are assigned to certain OAuth 2.0 clients. |
S_USR_GRP/CLASS/03 for display S_USR_GRP/CLASS/22 for revocation |
With this authorization, an administrator can display and/or revoke tokens that are assigned to a certain user group. Determine the user group in the User Maintenance tool (transaction SU01). Note
The token revocation dialog does not explicitly display the user group, but an administrator sees all users that belong to this specific user group. |
If users do not have any of these authorizations and start the transaction for token context revocation, these users can only display and revoke their own token contexts (like a resource owner).