Show TOC Start of Content Area

Background documentation Authorizations  Locate the document in its SAP Library structure

SAP NetWeaver Voice uses the authorization concept provided by SAP NetWeaver. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP and SAP NetWeaver AS Security Guide Java also apply to the SAP NetWeaver Voice.

For more information, see these security guides:

      SAP NetWeaver Application Server ABAP Security Guide

      SAP NetWeaver Application Server Java Security Guide

Access to the business functionality on back ends requires proper authorization. The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For SAP back ends you must create ABAP Authorization Roles. The content of these roles depends on the business functionality that need to be executed over the voice-based application. If you are unsure which authorizations you need, run the authorization trace with transaction ST01.

To maintain roles:

      For ABAP technology, use the profile generator (transaction PFCG).

      For Java, use the User Management Engine’s user administration console.

On all non-SAP back ends you must enforce the available authorization mechanisms.

Standard Roles

Three roles can be considered for SAP NetWeaver Voice:

      Voice application developer

SAP does not provide voice-specific standard roles for developers. Voice developers require the same authorizations and permissions as developers of other NetWeaver applications. Voice developers use the SAP NetWeaver Application Server (AS) and back-end systems, which the voice application must access at runtime.

      End user of a voice application

SAP does not provide standard roles for end users of SAP NetWeaver Voice, as these roles are application-specific depending on the functionality provided.

      Runtime Service of NetWeaver Voice

The Voice Data Runtime accesses back-end systems on behalf of voice applications. As such, it needs to have access to destinations or Web services that have been configured in the J2EE engine through the NetWeaver Administrator. For certain services, the Voice Data Runtime demands the service user voice_rt_service to access these objects. The user voice_rt_service is assigned the administrator role by default, but you can override this manually using the User Management Engine’s user administration console.

Critical Combinations of Authorizations

Developers

Critical combinations of authorizations can be granted inadvertently especially for conjunctions of development and debugging rights. As the authorizations are application-specific, you need to consult your auditing department on the potential of critical authorization combinations. However, if your voice developers are limited to developing in development systems, it is unlikely that they will obtain excessive rights.

Recommendation

We strongly recommend that you do not grant development and debugging authorizations to your voice developers on productive systems. Also, ensure that your voice developers do not violate any corporate segregation-of-duties policies.

End Users

Critical combinations of authorizations by the end-users of your voice applications can also be an issue.

Recommendation

Review the voice-based access with your auditing department and confirm that end-users of your voice-based applications do not violate company-specific segregation-of-duties policies.

 

End of Content Area