Show TOC

Access Control Using Assigned UsersLocate this document in the navigation structure


For a sender communication component of type Business Service or Business System , you can now restrict access to the runtime environment to particular (service) users. An authorization check is run at runtime to ensure that messages that have the particular communication component entered as the sender in the message header can only be executed on the Integration Server or in the Advanced Adapter Engine by the specified users.

You specify the access control when you configure the corresponding (sender) Communication Component in the Integration Directory.

In addition, you can restrict the access control to a particular interface of the sender. You specify the authorized users in the configuration of the relevant sender agreement , which contains the interface in the object key.

This function is intended specifically for configuring B2B scenarios. In this way you agree a special user with an external business partner for communication using SAP NetWeaver Process Integration. Assign this user to all communication components that the external partner uses to send messages to your Integration Server. The external business partner must include this user when configuring their receiver channels (or when configuring their HTTP destinations).


This function is supported by the following (sender) adapters:

  • XI adapter

  • Plain HTTP adapter

  • RFC adapter (This involves the user that is used for the RFC, which is generally the user used to log on to the SAP system.)

  • IDoc adapter

  • SOAP adapter

  • RNIF (RNIF Adapter 1.1 and RNIF Adapter 2.0)

  • CIDX

  • SAP Business Connector adapter

  • Marketplace adapter


If you use adapters from third-party vendors, refer to the relevant documentation for the adapters to check whether this function is supported.


Assigning Users to a Communication Component

To assign authorized users, in the editor Edit Communication Component , select the Assigned Users tab page. Add a new row for the user and enter the user name manually.

The user names are always treated as case-sensitive by the runtime components involved and are therefore always saved as capital letters.


If no users are specified, there are no access restrictions for this communication component.

Assigning Users to a Sender Agreement

To specify authorized users for a particular interface of the sender, in the editor Edit Sender Agreement, choose the Assigned Users tab page and insert the users line by line.


Note that the users specified for the sender agreement must match those assigned for the communication component, or must at least be a subset of these.

For some adapter types, it is not absolutely necessary to configure a sender agreement (see Sender Agreement ) unless you want to make additional security settings. If you want to make access to the runtime environment dependent on the sender interface, you must define a separate sender agreement that contains the list of authorized users.


A business-to-business process involves a travel agency and the airline Lufthansa . Both business partners agree that the runtime environment of the travel agency will only process messages from Lufthansa when they are sent by using the user USER_LH .

To achieve this, the integration expert who performs the configuration at the travel agency enters the user USER_LH for all sender components of the partner Lufthansa .

The integration expert at Lufthansa must then ensure that all messages that are sent to the travel agency are sent by using the user USER_LH . The integration expert usually makes this setting in the configuration of the receiver channels that are responsible for the outbound processing of the messages destined for the travel agency.

At runtime, a check is then performed at the travel agency to ensure that all messages for which Lufthansa sender components are entered in the message header were sent by using the user USER_LH . The user entered (for the corresponding communication component) is compared with the user with which the message arrives. The runtime of the travel agency will only process the message without errors if both users are identical.

More Information

For more information, see SAP Note 852237.