Show TOC

Background documentationAuthorizations Locate this document in the navigation structure

 

SAP NetWeaver Voice uses the authorization concept provided by SAP NetWeaver. Therefore, the recommendations and guidelines for authorizations as described in the SAP NetWeaver AS Security Guide ABAP and SAP NetWeaver AS Security Guide Java apply to SAP NetWeaver Voice.

More information: SAP NetWeaver Application Server ABAP Security Guide, SAP NetWeaver Application Server Java Security Guide,

Access to business functionality on back-end requires proper authorization. The SAP NetWeaver authorization concept is based on assigning authorizations to users based on roles. For SAP back ends you must create ABAP Authorization Roles. The content of these roles depends on the business functionality that need to be executed over the voice-based application. If you are not sure on the authorizations that you need, run the authorization trace with transaction ST01.

To maintain roles:

  • For ABAP technology, use the profile generator (transaction PFCG)

  • For Java, use the User Management Engine's user administration console

On all non-SAP back ends you must enforce the available authorization mechanisms.

Standard Roles

There are three roles that are recommended for using SAP NetWeaver Voice:

  • Voice application developer

    SAP does not provide voice-specific standard roles for developers. Voice developers require the same authorizations and permissions as developers of other NetWeaver applications. Voice developers use the SAP NetWeaver Application Server (AS) and back-end systems, which the voice application must access at runtime.

  • End user of a voice application

    End user is a user of the voice application and access the application using a telephone. SAP does not provide standard roles for end users of SAP NetWeaver Voice.

  • Runtime Service of NetWeaver Voice

    The Voice Data Runtime accesses back-end systems on behalf of voice applications. As such, it needs to have access to destinations or Web services that have been configured in the J2EE engine through the NetWeaver Administrator. For certain services, the Voice Data Runtime demands the service user voice_rt_service to access these objects. The user voice_rt_service is assigned the administrator role by default, but you can override this manually using the User Management Engine's user administration console.

Combinations of Authorizations

  • Developers

    Combinations of authorizations can be granted inadvertently especially for conjunctions of development and debugging rights. Since the authorizations are application-specific, you need to consult your auditing department on the potentials of authorization combinations. However, if your voice developers are limited to developing in development systems, it is unlikely that they can get more rights.

    Recommendation Recommendation

    We strongly recommend that you do not grant development and debugging authorizations to your voice developers on productive systems. In addition, ensure that your voice developers do not violate any corporate segregation-of-duties policies.

    End of the recommendation.

  • End Users

    Combinations of authorizations to the end-users of your voice applications can also be an issue.

    Recommendation Recommendation

    Review the voice-based access with your auditing department and confirm that end-users of your voice-based applications do not violate company-specific segregation-of-duties policies.

    End of the recommendation.