As NWBC is an HTTP-based application framework, it also supports the usual security concepts offered by Internet Communication Framework (ICF).
Whenever NWBC (as a shell, not the content area) accesses the ABAP server, this is handled by the NWBC HTTP handler CL_NWBC_HTTP. You can find this handler in the ICF service tree (transaction HTTP Service Hierarchy Maintenance ( SICF)) under /sap/bc/ui2/nwbc (when using UI services runtime) or /sap/bc/nwbc (when using NWBC runtime). To allow NWBC to access the server, the corresponding node must be active in the ICF tree. In addition, there is an external alias defined and shipped:
The alias can also be security-relevant, but not for access control.
For security reasons, the only services that should be active in the HTTP service tree are those services that are really needed. If you activate nodes at a higher level, the whole part of the service tree below this level is also active and accessible through HTTP.
The second security-relevant aspect of the ICF nodes are all logon configurations that are handled using the ICF layer.
This ICF node controls only access of the NWBC shell to the server; it does not control or enforce any access needed by an application to run. This is controlled by the different relevant frameworks.
For example, for Web Dynpro ABAP applications a large number of additional ICF nodes need to be activated.
Similarly, if other types of applications, such as BSPs or BI are loaded, their relevant ICF nodes must also be active.
Below the nwbc node in the ICF tree, some special nodes exist that are explained in detail in Active Services in the ICF.
From a security viewpoint, the following nodes play a role:
Node for Users of UI Services Runtime |
Node for Users of NWBC Runtime |
Security-Relevance |
---|---|---|
/sap/bc/ui2/nwbc |
/sap/bc/nwbc |
Must be active to use productively |
/ui2/nwbc |
/nwbc |
Should be available to use productively |
/sap/bc/ui2/nwbc/nwbc_launch |
/sap/bc/nwbc/nwbc_launch |
We recommend that this node be deactivated. |
/sap/bc/ui2/nwbc/nwbc_test |
/sap/bc/nwbc/nwbc_test |
We highly recommend that this node be deactivated. |
/sap/bc/ui2/nwbc/nwbc_testcanvas |
/sap/bc/nwbc/nwbc_testcanvas |
We highly recommend that this node be deactivated. |
/sap/bc/ui2/nwbc/nwbc_debug |
/sap/bc/nwbc/nwbc_debug |
We highly recommend that this node be deactivated. |
/sap/bc/ui2/nwbc/exprt_sapportal |
/sap/bc/nwbc/exprt_sapportal |
We recommend to deactivate this node, unless the functionality is explicitly used with an enterprise portal in your system landscape. |
/sap/bc/ui2/nwbc/nwbc_ext2int |
/sap/bc/nwbc/nwbc_ext2int |
If you want to use the side panel, this node must be active. |