The Backend Event Publisher (BEP) verifies security in the following ways:
In order to maintain BEP backend configurations the user has to have BEP administration rights. For this a separate role template is available.
For information on all role templates, see User, Developer, and Administrator Authorizations.
Users who would like to subscribe to an event need to have the following:
An authorized user in SAP Gateway as well as in the backend system.
Authorization to run subscription RFCs in the backend. For this they will need to use the user role template /IWBEP/RT_BEP_USR (role for all BEP users).
In addition, a BEP backend administrator maintains a list of systems that are allowed to use this service; the user can only use this service from these systems. This list is maintained in the configuration table /IWBEP/C_SYSTEM.
The user authorization check is carried out prior to sending a subscription request to BEP.
A notification using BEP can only be sent to defined systems (that is, systems that have been configured by the backend administrator - see Subscription, list item 3).
No authorization check is carried out for the data. The notification data typically contains event ID and object reference.