https://community.sap.com/t5/application-development-and-automation-discussions/security-about-bapi-s-user-access/m-p/5245637#M1212059 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We just finished to develop a few BAPI´s in order to access it using a Java Program.</P><P></P><P>We mark BAPI´s as remote enabled module and we think that we should use a internet user to access the BAPI's.</P><P></P><P>My question is: how can i certified that that user only access to the BAPI´s i create. I revised the java code and anyone can use that code to access to another BAPI.</P><P></P><P>Can you tell me some comments about this issue?</P><P></P><P> Best Regards</P><P></P><P> João Fernandes</P><P></P></BODY></HTML> Wed, 18 Feb 2009 18:15:52 GMT Former Member 2009-02-18T18:15:52Z https://community.sap.com/t5/application-development-and-automation-discussions/security-about-bapi-s-user-access/m-p/5245637#M1212059 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We just finished to develop a few BAPI´s in order to access it using a Java Program.</P><P></P><P>We mark BAPI´s as remote enabled module and we think that we should use a internet user to access the BAPI's.</P><P></P><P>My question is: how can i certified that that user only access to the BAPI´s i create. I revised the java code and anyone can use that code to access to another BAPI.</P><P></P><P>Can you tell me some comments about this issue?</P><P></P><P> Best Regards</P><P></P><P> João Fernandes</P><P></P></BODY></HTML> Wed, 18 Feb 2009 18:15:52 GMT https://community.sap.com/t5/application-development-and-automation-discussions/security-about-bapi-s-user-access/m-p/5245637#M1212059 Former Member 2009-02-18T18:15:52Z https://community.sap.com/t5/application-development-and-automation-discussions/security-about-bapi-s-user-access/m-p/5245638#M1212060 <HTML><HEAD></HEAD><BODY><P>According to the BAPI development guidelines, it is developer's responsibility to add the authority check.</P><P></P><P>Each BAPI must have all the applicable authorization checks coded inside, so that even if anyone runs the BAPI, they won't be able to get far if they don't have authorization for the business transactions. Naturally, the remote user IDs should have adequate (usually minimum and display-only) authorizations in SAP.</P></BODY></HTML> Wed, 18 Feb 2009 22:10:58 GMT https://community.sap.com/t5/application-development-and-automation-discussions/security-about-bapi-s-user-access/m-p/5245638#M1212060 Jelena_Perfiljeva 2009-02-18T22:10:58Z https://community.sap.com/t5/application-development-and-automation-discussions/security-about-bapi-s-user-access/m-p/5245639#M1212061 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I assume that you use JCo to call BAPI from your Java program. JCo uses RFC for this purpose. Hence you have all possibilities of RFC to secure it. You can create a new user for this RFC. This user will have only access to your BAPI (authorization object S_RFC). YOu can get additional information about securing RFC [here.|http://help.sap.com/saphelp_nw04s/helpdata/en/37/1a9b6a338cca448508f3a48d2d1e2d/frameset.htm]</P><P></P><P>Cheers</P></BODY></HTML> Thu, 19 Feb 2009 01:32:43 GMT https://community.sap.com/t5/application-development-and-automation-discussions/security-about-bapi-s-user-access/m-p/5245639#M1212061 mvoros 2009-02-19T01:32:43Z