Securing the SAPUI5
Repository
This chapter is only relevant if you're using the SAPUI5 ABAP repository and the ABAP back-end infrastructure. The SAPUI5 repository bases on the BSP repository.
The SAPUI5 repository team provider connected against a SAP NetWeaver 7.3 EHP1 ABAP system with UI add-on or a SAP NetWeaver 7.4 SPS01 or higher can be used to synchronize the SAPUI5 application resources between Eclipse and the SAPUI5 repository on the ABAP system.
For more information on the use of SAPUI5 repository team provider, see the Security Guide for ABAP development tools, which is part of the ABAP Development User Guide and the SAP NetWeaver Security Guide.
As an alternative for the SAP Business Suite system 7.00 and higher - especially from version 7.31 - you may use the interactive ABAP report /UI5/UI5_REPOSITORY_LOAD or /UI5/UI5_REPOSITORY_LOAD_HTTP, which offer a similar functionality. Compared to the SAPUI5 Repository Team Provider it does not offer a built-in code merge. Here, a separate source code repository such as git or Subversion (SVN) may be used.
Authorization Objects for SAPUI5 Repository Team Provider
| Authorization object | Description |
|---|---|
| S_DEVELOP | The authorization object S_DEVELOP is needed to create, update and delete SAPUI5 applications in the SAPUI5 Repository. |
| S_ICF_ADM | The authorization object S_ICF_ADM is needed to create the SAPUI5 application-specific ICF node under /sap/bc/ui5_ui5/ |
| S_TRANSPORT | The authorization object S_TRANSPRT is used to create new transport request or new task. |
| S_CTS_ADMI | The authorization object S_CTS_ADMI is needed to transport SAPUI5 applications. |
| S_CTS_SADM | The authorization object S_CTS_SADM is needed to transport SAPUI5 applications. |
| S_ADT_RES | The authorization object S_ADT_RES is used for the communication between Eclipse and the ABAP backend via the SAPUI5 Repository Team Provider. |
| S_RFC | The authorization object S_RFC, Activity 16 (Execute) with RFC_NAME=SADT_REST_RFC_ENDPOINT and RFC_TYPE=FUNC, is used for the communication between Eclipse and the ABAP backend via the SAPUI5 Repository Team Provider. |
For more information about authority checks and working with authorization objects, see SAP NetWeaver 7.0x Security Guides (Complete) on the SAP Help Portal at http://help.sap.com/netweaver.
Delivered Virus Scan Profiles
When uploading files to the SAPUI5 repository, you can perform a virus scan.
As of SAP NetWeaver 7.0 with UI add-on, SAP delivers the following virus scan profile for ABAP within the UI add-on: /UI/UI5_INFRA_APP/REP_DT_PUT. This profile is used by the SAPUI5 repository API to store files in the SAPUI5 repository based on BSP repository. For example: The upload of a local file using SAPUI5 repository API /UI5/CL_UI5_REP_DT, method /UI5/IF_UI5_REP_DT~PUT_FILE from 7.00 on, or the SAPUI5 repository team provider in 7.31.
The profile is deactivated when delivered. To activate it, first create at least one basis profile and save it as the default profile. You can then activate one of the delivered profiles. By default, it links to a reference profile, which is the default profile. For more information, see ABAB-specific Configuration of the Virus Scan Interface (7.00) and ABAP-specific Configuration of the Virus Scan Profile (7.31)
The SAPUI5 application can be executed from the NW 7.X ABAP System by retrieving the SAPUI5 application resources from the SAPUI5 repository based on BSP repository with the help of an ICF handler.
Delivered ICF Nodes
For the execution of SAPUI5 applications from the SAPUI5 repository, SAP delivers the ICF node /sap/bc/ui5_ui5/. This node contains subnodes for each SAPUI5 application.
For more information, see also Activating and Deactivating ICF Services (7.00 EhP3) in
the SAP Library for SAP NetWeaver on SAP Help Portal at 
SAP NetWeaver 
SAP NetWeaver Library SAP NetWeaver by Key Capability Application Platform by Key Capability Connectivity Components of SAP Communication Technology Communication between ABAP and Non-ABAP Technologies Internet Communication Framework Development 
.
For more information about ICF security, see SAP NetWeaver Security Guide on SAP Service Marketplace under
SAP NetWeaver 7.0x Security Guides
(Complete)
SAP
NetWeaver 7.0x Security Guides (Online Version)
Security
Guides for Connectivity and Interoperability Technologies RFC/ICF Security Guide
.
Authorization Objects
No specific authorization objects are needed to execute SAPUI5 applications from the SAPUI5 repository.
As for ICF service nodes in general, authorization
for specific ICF service nodes can be restricted, see
Defining Service Data in the SAP
Library for SAP NetWeaver on SAP Help Portal under
SAP NetWeaver SAP NetWeaver Library SAP NetWeaver by Key Capability
Connectivity
Components
of SAP Communication Technology Communication between ABAP and Non-ABAP
Technologies
Internet
Communication Framework
Development
Server-Side
Development
Creating
and Configuring ICF Services
Create
Service
and
Authorization Object S_ICF
(7.00 EHP3) or SAP Library for SAP NetWeaver on SAP Help Portal under
SAP NetWeaver
SAP
NetWeaver Library SAP
NetWeaver by Key Capability
Application
Platform by Key Capability
Connectivity
Components
of SAP Communication Technology
Communication between ABAP and Non-ABAP
Technologies
Internet
Communication Framework
Development
.
Code changes can be tracked by using the usual ABAP version control of the corresponding resource file. A new version is created when a new transport is written.
Text changes can be tracked by using the "Table History" transaction (SCU3), the relevant tables for SAPUI5 texts are /UI5/TREP_TEXT and /UI5/TREP_TEXT_T for the translated text. Table logging has to be activated in the system for this functionality.
From SAP NetWeaver 7.31, the SAPUI5 application index REST API can be executed from ABAP systems with an ICF handler to get the transitive dependencies of an app.
This API is not for public use. It's only used when packaging SAP Fiori apps with SAP Mobile Platform Hybrid SDK plugins.
Delivered ICF Nodes
For the execution of the SAPUI5 application index REST API, SAP delivers the ICF node /sap/bc/ui2/app_index.
All services delivered by SAP (such as the /sap/bc/ui2/app_index service) are initially inactive. Make sure that you activate all required services.
For more information about ICF services, see SAP Library for SAP NetWeaver 7.0 on SAP Help Portal at http://help.sap.com/nw703. Under Application Help, open SAP Library and search for Activating and Deactivating ICF Services.
For more information about ICF security, see SAP Library for SAP NetWeaver 7.0 on SAP
Help Portal at http://help.sap.com/nw703 under Security Information Security Guides for Connectivity and Interoperability
Technologies RFC/ICF Security Guide .
For more information about the SAPUI5 application index, see SAPUI5 Application Index.