As NWBC is an HTTP-based application framework, it also supports the usual security concepts as they are offered in the Internet Communication Framework (ICF). For more information, see ICF Scenarios.

Whenever NWBC (as a shell, not the canvases) accesses the ABAP server, this is handled by the NWBC HTTP handler CL_NWBC_HTTP. You can find this handler in the ICF service tree (transaction SICF), under /sap/bc/nwbc. To allow the NWBC to access the server, the corresponding node has to be active in the ICF tree. For more information, see 4.2 Active Service Nodes in the ICF.

In addition, there is also an external alias /nwbc defined and shipped that points directly onto the ICF path /sap/bc/nwbc. This alias can also be security relevant, but not for access control. For more information, see External Aliases.

For security reasons, the only services that should be active in the HTTP service tree are those services that are really needed. If you activate nodes at a higher level, this means that the whole part of the service tree below this level also active and accessible via HTTP. For more information, see Activating and Deactivating Services.

The second security-relevant aspect of the ICF nodes are all logon configurations that are handled via the ICF layer. For more information, see Defining the Logon Procedure.

Below the nwbc node in the ICF tree are some special nodes which are explained in detail in 4.2 Active Service Nodes in the ICF. From a security viewpoint, the following nodes play a role: