Access Control Using Assigned Users 

Use

For sender services of type Business Service or Business System, you can now restrict access to the runtime environment to particular (service) users. An authorization check is run at runtime to ensure that messages that have the particular service entered as the sender in the message header can only be executed on the Integration Server or in the Adapter Engine by the specified users.

You specify the access control when you configure the corresponding (sender) service in the Integration Directory.

In addition, you can restrict the access control to a particular interface of the sender. You specify the authorized users in the configuration of the relevant sender agreement, which contains the interface in the object key.  

This function was specially designed for the configuration of business-to-business processes. You and your external business partner agree on a special user to be used for communication by using SAP Exchange Infrastructure. You assign all services that the external business partner uses to send messages to your Integration Server to this user. The external business partner must include this user when configuring their receiver channels (or when configuring their HTTP destinations).  

This function is supported by the following (sender) adapters:

-          XI adapter

-          Plain HTTP adapter

-          RFC adapter (This involves the user that is used for the RFC, which is generally the user used to log on to the SAP system.)

-          IDoc adapter

-          SOAP adapter

-          RNIF (RNIF Adapter 1.1 and RNIF Adapter 2.0)

-          CIDX

-          SAP Business Connector adapter

-          Marketplace adapter

If you use adapters from third-party vendors, refer to the relevant documentation for the adapters to check whether this function is supported.

Activities

Assigning Users to a Service

To assign authorized users, in the editor Edit Service, choose the tab page Assigned Users. Insert a new line for the new user (Insert Line After Selection ) and enter the user name manually.

The user names are case-insensitive for the runtime components (of SAP XI, SAP Web AS, and SAP NetWeaver) and are therefore always saved in uppercase.

If no users are specified, there are no access restrictions for this service.

Assigning Users to a Sender Agreement

To specify authorized users for a particular interface of the sender, in the editor Edit Sender Agreement, choose the Assigned Users tab page and insert the users line by line.

Note that the users specified for the sender agreement must match those assigned for the service, or must at least be a subset of these.    

For some adapter types, it is not absolutely necessary to configure a sender agreement (see Sender Agreement) unless you want to make additional security settings. If you want to make access to the runtime environment dependent on the sender interface, you must define a separate sender agreement that contains the list of authorized users.

Example

A business-to-business process involves a travel agency and the airline Lufthansa. Both business partners agree that the runtime environment of the travel agency will only process messages from Lufthansa when they are sent by using the user USER_LH.

To achieve this, the integration expert who performs the configuration at the travel agency enters the user USER_LH for all services that are possible sender services of the partner Lufthansa.

The integration expert at Lufthansa must then ensure that all messages that are sent to the travel agency are sent by using the user USER_LH. The integration expert usually makes this setting in the configuration of the receiver channels that are responsible for the outbound processing of the messages destined for the travel agency.

At runtime, a check is then performed at the travel agency to ensure that all messages for which Lufthansa sender services are entered in the message header were sent by using the user USER_LH. This is done by comparing the user entered (in the relevant service object in the Integration Directory) with the user used to send a message. The runtime of the travel agency will only process the message without errors if both users are identical.

See also:

For more information, see SAP Note 852237.

For more information about communicating with the Integration Server, see Service Users for Message Exchange in SAP NetWeaver Process Integration Security Guide.