Show TOC

Security Considerations for Service GroupsLocate this document in the navigation structure

Use

You can use Service Groups in applications that consume services and represent a group of services that are consumed together from the same system. Being on the consumer side, Service Groups cannot enforce security rules to Web services on the provisioning side, such as authentication or other rules. Still, one could enforce some policies of the service consumers, for example, to not send a credit card number via a nonencrypted channel. If these policies do not match the policies offered by the Web service, the configuration of the consumers would fail and they would not be able to call the Web services.

To protect the Web services, you can configure them at design time and at runtime. For more information, see Configuring Web Services at Design Time and Configuring Web Services .

Security Intents at Design Time

When a service reference is created at design-time, one could specify how the authentication towards the service has to be done. For example, one could specify that the service shall be called on behalf of the business user working with the consumer application to guarantee that a sales order is created on behalf of a real business user but not on behalf of some technical user. You can set this using the authentication profiles. For more information, see Creating Service Groups .

Later at configuration time an administrator could still choose the technical means how this is done, for example, via SAP Assertion Tickets or SAML.

Security Policies at Runtime

Consumer applications access services remotely and exchange information over the network. Due to this one has to take care that such a network channel is secured. Although this is a task mainly for the provider of the service (to make sure it requires sufficient authentication and has proper permissions), one could also control the channel a consumer would use. For example, if a provider has enabled an encrypted channel as well as a not-encrypted one, the consumer might decide to use the encrypted one only. You can configure this using policies that could be set in the communication profile. For more information, see Preparing Communication Profiles .

Security Roles for Service Group Configuration

The configuration screens in SAP NetWeaver Administrator can be accessed only by users that are allowed to do so. To grant dedicated permissions to a user, assign one of dedicated security roles to his or her user account. For more information, see Authorizations .