cancel
Showing results for 
Search instead for 
Did you mean: 

How to restrict external B2B user to run SAP PO A2A internal interfaces?

RafaelVieira
Active Participant
0 Kudos
234

Dear SAP experts,

In our SAP PO (7.5), some new B2B integrations are needed. The scenarios will be synchronous calls External WS (SOAP) --> SAP PO --> SAP

We're evaluating having a site2site VPN with the partner so that once authenticated they can call our SAP PO through regular SOAP calls.

However, we're concerned this could be a security issue as, once authentication, they could call any other SAP PO soap interface just by using the interface URL. I know that we can use Assigned Users in the Business System to restrict that interface to only be used by a specific service ID (the same can be done at interface level, in the ICo). But this doesn't help with the security vulnerability, since the other interfaces won't have any restriction in their Assigned Users tab, so that ID can still run other A2A interfaces once authenticated through the VPN.

The only alternative would be adding all possible user IDs to all other interfaces, so that this specific ID wouldn't be allowed to run any other interface - that's not acceptable for us due to the huge number o existing interfaces. SAP confirmed in OSS that this is the only way to use Assigned Users feature.

Can we enhance the ACL (Access Control List, the component where the Assigned Users are stored) so that it not only works as a white-list, but mainly as a blacklist?

Has anyone any suggestion on how to overcome this (imho, very basic) security issue?

I've read these help content/SAP notes, which only confirms what I just stated:

- https://help.sap.com/viewer/d0a0a7cb51dc40529bfcac724dd05796/7.5.10/en-US/48cea362e206035be10000000a...

- 852237 - Extended authorization concept of the XI runtime

Thanks!

former_member608139
Active Participant
0 Kudos

You can restric the acces for a pre-defined user insed the respective user tab in your Integrated Configuration, inside this tab you can insert only the users authorized to use this interface.

Accepted Solutions (0)

Answers (2)

Answers (2)

arrezende
Active Participant

Maybe a possible solution for your problem is the non-central Advanced Adapter Engines (non-central AAEs) installed in a DMZ.

Their B2B interfaces would have the communication channel running on the external adapter, which would be in a DMZ, isolating their B2B partners from the other interfaces.

arrezende
Active Participant
0 Kudos

Just complemented, you can use the web dispatcher, which for your case will have a functioning similar to what I mentioned above.

RafaelVieira
Active Participant
0 Kudos

Thanks for your suggestion... that would help, indeed. I will investigate more on this - would you have more info about how I could have a second non-central AAE in the DMZ?

Wouldn't a web dispatcher work better in that case as it's url filtering capability?

I was more interested in a solution within the app layer, but if that's not achievable within app layer, I'll start evaluating other alternatives.

arrezende
Active Participant
0 Kudos

In your case, the non-central Advanced Adapter Engines would really make more sense.

I found the link below that explained a little better about it, see if it makes any sense for your scenario:

ttps://help.sap.com/doc/saphelp_me151/15.1.3VERSIONFORSAPME/en-US/48/d11280b4073254e10000000a42189b/content.htm?no_cache=true

former_member608139
Active Participant
0 Kudos

You can restric the acces for a pre-defined user insed the respective user tab in your Integrated Configuration, inside this tab you can insert only the users authorized to use this interface.

RafaelVieira
Active Participant
0 Kudos

thanks for your inputs, Carlos but this doesn't prevent user from running other a2a interfaces as mentioned in the thread description.

former_member608139
Active Participant
0 Kudos

You will need do this for each ICO, this is the only way to execute what you want