Access Control Using Assigned Users
Use
For a sender communication component of type Business Component or Business System , you can now restrict access to the runtime environment to particular (service) users. An authorization check is run at runtime to ensure that messages that have the particular communication component entered as the sender in the message header can only be executed on the Integration Server or in the Advanced Adapter Engine by the specified users.
You specify the access control when you configure the corresponding (sender) Communication Component in the Integration Directory.
In addition, you can restrict the access control to a particular interface of the sender. You specify the authorized users for this in the configuration of the sender agreement involved (for dual usage type message processing) or the integrated configuration (for message processing using the Advanced Adapter Engine) which contains the interface in the object key.
This function is intended specifically for configuring B2B scenarios. In this way you agree a special user with an external business partner for communication using SAP Process Integration. Assign this user to all communication components that the external partner uses to send messages to your Integration Server. The external business partner must include this user when configuring their receiver channels (or when configuring their HTTP destinations).
Note
This function is supported by the following (sender) adapters:
-
XI adapter
-
HTTP adapter (Integration Engine)
-
HTTP adapter (Advanced Adapter Engine)
-
RFC adapter (This involves the user that is used for the RFC, which is generally the user used to log on to the SAP system.)
-
IDoc adapter (Integration Engine)
-
IDoc adapter (Advanced Adapter Engine)
-
SOAP adapter
-
RNIF (RNIF Adapter 1.1 and RNIF Adapter 2.0)
-
CIDX
-
SAP Business Connector adapter
-
Marketplace adapter
Caution
If you use adapters from third-party vendors, refer to the relevant documentation for the adapters to check whether this function is supported.
Activities
Assigning Users to a Communication Component
To assign authorized users, in the editor Edit Communication Component , select the Assigned Users tab page. Add a new row for the user and enter the user name manually.
The user names are always treated as case-sensitive by the runtime components involved and are therefore always saved as capital letters.
Caution
If no users are specified, there are no access restrictions for this communication component.
Assigning Users to a Sender Agreement
To specify authorized users for a particular interface of the sender, in the editor Edit Sender Agreement, choose the Assigned Users tab page and insert the users line by line.
Caution
Note that the users specified for the sender agreement must match those assigned for the communication component, or must at least be a subset of these.
For some adapter types, it is not absolutely necessary to configure a sender agreement (see Sender Agreement ) unless you want to make additional security settings. If you want to make access to the runtime environment dependent on the sender interface, you must define a separate sender agreement that contains the list of authorized users.
Example
A business-to-business process involves a travel agency and the airline Lufthansa . Both business partners agree that the runtime environment of the travel agency will only process messages from Lufthansa when they are sent by using the user PI_WEL.
To achieve this, the integration expert who performs the configuration at the travel agency enters the user PI_WEL for all sender components of the partner Lufthansa .
The integration expert at Lufthansa must then ensure that all messages that are sent to the travel agency are sent by using the user PI_WEL. The integration expert usually makes this setting in the configuration of the receiver channels that are responsible for the outbound processing of the messages destined for the travel agency.
At runtime, a check is then performed at the travel agency to ensure that all messages for which Lufthansa sender components are entered in the message header were sent by using the user PI_WEL . The user entered (for the corresponding communication component) is compared with the user with which the message arrives. The runtime of the travel agency will only process the message without errors if both users are identical.
More Information
For more information, see SAP Note 852237.
789
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
