This requirement stems from a customer that asked how to publish an OData V4 service in an SAP S/4HANA on premise system such that it could be used on a public web site without the need to provide any authentication.
With OData V2 this requirement can be achieved more easily since here every service has it's own SICF node where it would be possible to store credentials just for this service.
In OData V4 we have only one SICF node, namely /sap/opu/odata4/.
This is obviously a problem since there is no service specific node available in SICF.
The approach described in this blog post does only work for read-only services.
The OData V4 runtime does not support requests that require a csrf token and that use hard-coded credentials. This is also true for $batch requests.
The problem can be solved using the following approach.
As we can see accessing the service zrap630ui_shop_o4_05a via the alias zodatav4_2 works.
Whereas accessing a second OData V4 service zrap630ui_shop_o4_05b via the alias zodatav4_2 does NOT work
This has been achieved by assigne the follwoing role the technical user which only contains the authorization to start the first service based on the authorization object S_START.
Please note:
Since OData V4 service use the authorization object S_START which is based on the service name it would for example be possible to publish several services that are in the same name range like
zrap630ui_shop_o4_05A, zrap630ui_shop_o4_05B, ... zrap630ui_shop_o4_05Z,
Using PFCG and the role template /IWBEP/RT_MGW_USR we create a role as shown in the screen shot above that only contains the S_START authorization of one OData V4 service called ZRAP630UI_SHOP_O4_05A.
As a user we create a technical user whose credentials will be stored in the system alias.
1. We start by right-clicking on the node opu and choose New subelement.
2. We create a new service element called ZODATAV4_2 and choose the option Alias to an existing service.
3. We choose the tab Target, select the node OdataV4 by double-clicking on it.
4. We navigate to the tab Logon Data, choose Alternative Logon Procedure and enter the credentials of our service user.
5. We navigate down and remove all logon procedures beside Logon using service data.
6. Do not forget to activate the link in SICF.
7. Check the result
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
33 | |
13 | |
11 | |
11 | |
10 | |
9 | |
9 | |
9 | |
8 | |
7 |