cancel
Showing results for 
Search instead for 
Did you mean: 

User audit trail in a SOA scenario

Former Member
0 Kudos

Hi All,

In a SOA scenario when using a composite application calling many webservices who on their turn call asynchronous jms calls to backend applications. How can you audit the user trail? So can you tell of all the backend transactions touched by this SOA scenario who was responsible of changing the data.

To illustrate the issue:

The typical SOA scenario, we have a web application running in a portal, the logged on portal user is accessing this web application. The web application is calling web services using the logged on user credentials. The webservices call an asynchronous message in a message oriented middleware solution using a service user. This asynchronous message triggers a bapi in R/3 using this service user. In the logging of the bapi call in R/3 the bapi is called by the service user and not the portal user id.

Can somebody point me to articles regarding this topic or best practices?

regards,

Richard

Accepted Solutions (0)

Answers (2)

Answers (2)

jabella
Employee
Employee
0 Kudos

Richard,

The answer to your problem is implementing a protocol called SAML. This protocol will create a token carrying the user ID and will be used to authenticate and propagate the real user executing the transaction.

Regards, Jose.

Former Member
0 Kudos

Hi Richard

Please have a look on the below Links may get some help

http://help.sap.com/saphelp_erp2004/helpdata/en/8a/a8b5386f64b555e10000009b38f8cf/frameset.htm

/message/1067519#1067519 [original link is broken]

Regards

Abhishek

Former Member
0 Kudos

Thanks Abhishek,

The first link was helpfull but actually underlines the problem that I have. The second link has no relevance to the problem.

But if we zoom in on de first link: http://help.sap.com/saphelp_erp2004/helpdata/en/cb/b0ceb823984a62bf017a42179af99a/frameset.htm

This is about the security on JMS service.

So the question remains how do you deal with an audit trail if the user calling webservices is different than the service user calling the bapi.

regards,

Richard