-
Products and Technology
By Category
-
Groups
Activity Groups
Industry Groups
Influence and Feedback Groups
Interest Groups
Location Groups
Customer Only Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
Products
Learning and Support
-
- Products and Technology
- Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
- Explore SAP
-
Products
- Products
- SAP Business Suite
- Artificial Intelligence
- Business applications
- Data and analytics
- Technology Platform
- Financial Management
- Spend Management
- Supply Chain Management
- Human Capital Management
- Customer Experience
- SAP Business Network
- View products A-Z
- View industries
- Try SAP
- Partners
- Services
- Learning and Support
- About
- SAP Community
- Groups
- Interest Groups
- Application Development and Automation
- Discussions
- Security about BAPI's - user access
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Security about BAPI's - user access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2009 Feb 18 6:15 PM
- SAP Managed Tags
- ABAP Development
Hi,
We just finished to develop a few BAPI´s in order to access it using a Java Program.
We mark BAPI´s as remote enabled module and we think that we should use a internet user to access the BAPI's.
My question is: how can i certified that that user only access to the BAPI´s i create. I revised the java code and anyone can use that code to access to another BAPI.
Can you tell me some comments about this issue?
Best Regards
João Fernandes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2009 Feb 19 1:32 AM
- SAP Managed Tags
- ABAP Development
Hi,
I assume that you use JCo to call BAPI from your Java program. JCo uses RFC for this purpose. Hence you have all possibilities of RFC to secure it. You can create a new user for this RFC. This user will have only access to your BAPI (authorization object S_RFC). YOu can get additional information about securing RFC [here.|http://help.sap.com/saphelp_nw04s/helpdata/en/37/1a9b6a338cca448508f3a48d2d1e2d/frameset.htm]
Cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2009 Feb 18 10:10 PM
- SAP Managed Tags
- ABAP Development
According to the BAPI development guidelines, it is developer's responsibility to add the authority check.
Each BAPI must have all the applicable authorization checks coded inside, so that even if anyone runs the BAPI, they won't be able to get far if they don't have authorization for the business transactions. Naturally, the remote user IDs should have adequate (usually minimum and display-only) authorizations in SAP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2009 Feb 19 1:32 AM
- SAP Managed Tags
- ABAP Development
Hi,
I assume that you use JCo to call BAPI from your Java program. JCo uses RFC for this purpose. Hence you have all possibilities of RFC to secure it. You can create a new user for this RFC. This user will have only access to your BAPI (authorization object S_RFC). YOu can get additional information about securing RFC [here.|http://help.sap.com/saphelp_nw04s/helpdata/en/37/1a9b6a338cca448508f3a48d2d1e2d/frameset.htm]
Cheers
Bluesky