Show TOC

Roles in the SAP Gateway LandscapeLocate this document in the navigation structure


SAP Gateway provides predefined roles as templates for developers, administrators, end users of the content scenarios, and support colleagues.

You configure the roles based on the provided templates and assign users to the roles.

The role templates specify the authorizations for content that can be accessed by users of the specific consumer server application. Using the predefined roles in a specific application, you can designate a user or a group of users as a unit, such as manager, employee, purchaser, supplier, and many more. These users have access to specific content and resources in that application.


You require administrator authorizations to create roles and users, and to assign roles to users.

User Types and Roles

You can find the complete list of role templates for SAP Gateway in User, Developer, and Administrator Authorizations.

Creating Roles for All Users to Access All Services Using the Profile Generator

To create roles to provide all users with access to all services, proceed as follows:

  1. In the SAP Gateway system, enter transaction PFCG to start role maintenance.

  2. Enter the name of the role /IWFND/RT_GW_USER.


    You should create a naming convention for your roles so that you can differentiate between single and composite roles.

  3. Choose Single Role to create the user role.

  4. Open the Menu tab and click on the arrow of the Transaction button to choose what you want to assign to the new role, for example, transactions, reports, and Web addresses.

  5. Open the Authorizations tab and choose Change Authorization Data to specify a profile for the role. An input window may appear, depending on the activities you selected you are prompted to enter the organizational levels.

  6. Use input help (F4) to select the ID of the required service. If you enter a particular value in the dialog box, the authorization fields of the role are maintained automatically.

    If you want to enable all the services for a user or a user group, enter an asterisk *, as the system automatically calculates a hash value and then provides a GUID when you enter an asterisk or a service name.

    The authorizations that are proposed automatically for the selected activities of the role are displayed on the next screen. Some authorizations have default values. Wherever traffic lights appear in the tree display, you must adjust the authorization values manually. You can maintain the authorization values by expanding the object classes and clicking on the blank fields displayed to the right of the authorization field name. Any authorizations that you define manually in this way are not overwritten when you copy more activities into the role and edit the authorizations again.

  7. Choose Generate. You are prompted to enter an authorization profile name. Return to the role maintenance screen.

  8. Open the Users tab and assign users or user groups to the role.

  9. Save your entries.

Where you require additional checks for backend services, implement the checks in the appropriate backend system.

Assignments of Authorization Objects

To use single SAP Gateway framework or application services, the user role needs to have the corresponding authorizations. The proposals can be found in transaction SU22.

  • In the SAP Gateway hub system, the repository objects are R3TR IWSG, andR3TR IWOM.

  • In the SAP┬áBusiness Suite backend system all authorizations are collected in the repository object R3TR IWSV.

To assign authorization objects proceed as follows:

  1. In transaction SU22, set Type of Application to TADIR Service.

  2. Enter R3TR as Program ID.

  3. Enter IWSG as Object Type in a SAP Gateway hub system or IWSV as Object Type in a SAP Business Suite backend system.

  4. For the Object Name enter the actual service name, for example, /IWFND/SG_SAMPLE_USER_[version_number].

  5. Choose Execute (F8).

    The authorization objects assigned to the TADIR service are displayed.

Currently there are several services delivered by the SAP Gateway framework:

  • For productive usage

    For example, /IWFND/SG_MED_CATALOG. This is a service allowing exploration of the (framework or application) services exposed by the SAP Gateway framework.

  • Test applications provided by the SAP Gateway framework

    For example, /IWFND/SG_SAMPLE_USER_[version].

In addition to the authorizations maintained in the SU22 proposal, the role needs to have the authorization object S_SERVICE assigned with the following specifications:

Type of Application:

TADIR Service

Program ID:


Object Type:


Object Name:

[Service Name], for example, /IWFND/SG_MED_CATALOG

For maintaining services, that is, creating and registering services, two repository objects exist:


    Logical transport object for the transport of an OData Channel Model Group in the IW_BEP component


    Logical transport object for the transport of an OData Channel Model in the IW_BEP component to be in line with the transport concept of an OData Channel Service


If your system is based on SAP NetWeaver 7.40 or higher, you do not need to install the component IW_BEP since the SAP Gateway Foundation component SAP_GWFND is installed as standard.

This coherent transport concept allows you to assign authorizations to users in the backend system which can differ from the authorizations that the corresponding user can have on the SAP Gateway hub system.

See also Configuration Settings for OData Channel.

More Information