SAP Gateway provides predefined roles as templates for developers, administrators, end users of the content scenarios, and support colleagues. You configure the roles based on the provided templates and assign users to the roles.
The role templates specify the authorizations for content that can be accessed by users of the specific consumer server application. Using the predefined roles in a specific application you can designate a user or a group of users as a unit, such as manager, employee, purchaser, supplier, and many more. These users have access to specific content and resources in that application.
You require administrator authorizations to create roles and users, and to assign roles to users.
User Types and Roles
You can find the complete list of role templates for SAP Gateway in User, Developer, and Administrator Authorizations.
Where you require additional checks for backend services, implement the checks in the appropriate backend system.
Assignments of Authorization Objects
To use single SAP Gateway framework or application services, the user role needs to have the corresponding authorizations. The proposals can be found in transaction SU22.
In the SAP Gateway hub system, the repository objects are R3TR IWSG, and R3TR IWOM.
In the SAP Business Suite backend system all authorizations are collected in the repository object R3TR IWSV.
To assign authorization objects proceed as follows:
In transaction SU22, set Type of Application to TADIR Service.
Enter R3TR as Program ID.
Enter IWSG as Object Type in an SAP Gateway hub system or IWSV as Object Type in an SAP Business Suite backend system.
For the Object Name enter the actual service name, for example, /IWFND/SG_SAMPLE_USER_<version>.
Choose Execute (F8).
The authorization objects assigned to the TADIR service are displayed.
Currently, there are several services delivered by the SAP Gateway framework:
For productive usage
For example, /IWFND/SG_MED_CATALOG. This is a service allowing exploration of the (framework or application) services exposed by the SAP Gateway framework.
Test applications provided by the SAP Gateway.
For example, /IWFND/SG_SAMPLE_USER_<version>.
In addition to the authorizations maintained in the SU22 proposal, the role needs to have the authorization object S_SERVICE assigned with the following specifications:
Type of Application: |
TADIR Service |
Program ID: |
R3TR |
Object Type: |
IWSG or IWSV |
Object Name: |
<Service Name>, for example, /IWFND/SG_MED_CATALOG |
For maintaining services, that is, creating and registering services, two repository objects exist:
R3TR IWSV
Logical transport object for the transport of an OData Channel Model Group in the IW_BEP component
R3TR IWMO
Logical transport object for the transport of an OData Channel Model in the IW_BEP component to be in line with the transport concept of an OData Channel Service
This coherent transport concept allows you to assign authorizations to users in the backend system which can differ from the authorizations that the corresponding user can have in the SAP Gateway hub system.
For more information, see User and Administrator Authorization.