Managing Impersonations (SAP Library - Administration of SAP NetWeaver CE)

Managing Impersonations

Use

To prevent unauthorized access to security-sensitive data, you can configure impersonation settings for callable objects that access security data, so that only predefined users can execute it.

Example

For example, you use a callable object to read data about an employee's salary in the back-end system. This data should be available only to the employee's manager. For that reason, you can define impersonation settings for the callable object to determine that only the employee's manager can execute this object. If at initiation another person is assigned to the role for this process step, the execution fails.

You can define impersonation settings and configure a list of users who are allowed to execute the callable object, from the Administration workset under Impersonation Manager. At runtime, only users form this list can execute the callable object.

Caution

This feature is currently available for External Service, Web Service, and Java Background Execution callable objects only.

Prerequisites

To be able to use the Impersonation Manager, you need security administrator rights (GP Security Administrator).

More information: Setting Up Portal Roles

Procedure

Select a Callable Object

...

1. Browse to select an existing callable object.

Note

Only callable objects of type External Service, Web Service and Background Execution are shown in the gallery.

2. Choose Open.

The impersonation settings including the callable object name, type and status are displayed.

Define Impersonation Settings

...

1. Enable the Impersonation indicator.

If the impersonation option is selected, only users with security administrator rights can activate the callable object.

Note

If the status of the callable object is active, you cannot choose the Impersonation option. You can change the status of the object in the GP design time.

2. To define principals for impersonation, choose Add.

The user picker is displayed in the right-hand part of the screen. Use the Find function to search for the required user. To add the user, select it and choose Add. Repeat the procedure for all users that you want to add.

3. Choose Save or Activate, depending on the callable object status.

Note

If the Impersonation option is chosen and the status of the callable object is inactive, you can not activate the callable object unless you define principals for impersonation.

Result

You have defined impersonation settings for a callable object.

Now you can create a process that includes a step that executes the callable object.

During the initiation of the process, only users included in the callable object’s impersonation list can execute this step.

You have to create an impersonation list for a callable object with defined impersonation settings in the following cases:

· If you make an inactive version of the callable object − for example, if you copy it or open it to edit it

· Before you can release a callable object after a transport request. For more information about how to release imported objects, see Postprocessing Imported Objects.