cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Regd. Use of Communication /Service user

Former Member

on ‎08-25-2010 6:20 AM

0 Kudos

Hi All,

I have a web service to Proxy scenario have created a user of type communication data.

the roles assigned are :

SAP_XI_APPL_SERV_USER

SAP_XI_IS_SERV_USER

Q> With this user i am able to open/create/edit object in IR and ID using the URL (i.e http://host:port/dir/start/index.jsp).I know that dialog logon is prevented.

Is it a common issue? my concern is when i share the wsdl URL , it will have the host and port.Anyone can put the trailing

part and easily logon and change/delete the objects (WorstCase)

How to control this ? Do i need to customize the user role?if yes what is the exact customization required.Checked with Basis

team also.Tried removing Dev related access ,after which the soap posting itself was not happening.

Can any one suggest the Roles required?

If communication user is supposed to access the IR and ID , then how i can control the access? Do i need to

handle it at network level , if yes please put in your thoughts on the same.

Regards,

Srinivas

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member200962
Active Contributor
‎08-25-2010 8:02 AM
0 Kudos

create the user with the required role and then restrict access to this user in IR/ ID ...can be a workaround....you can take help from [Michal's blog |http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/1721] [original link is broken] [original link is broken] [original link is broken];if no direct method works.

If you are on SAP PI7.11 then you can define an User Profile and assign it to the user....thereby he wont be able to view other objects (in ESR)

Regards,

Abhishek.

Show replies
Show replies
Former Member
‎08-27-2010 7:00 AM
0 Kudos

Hi Abhishek,

i have created the user profile and selceted the user profile for the user i want to restrict.

I am able to do that but when the user logs in he is able to set the user profile back to unristricted.How to prevent that acess to change the

user profile.tried creating user role and all .

Regards,

Srinivas

Edited by: Srinivas on Sep 26, 2010 12:12 AM

prateek
Active Contributor
‎08-25-2010 7:15 AM
0 Kudos

First, only SAP_XI_APPL_SERV_USER is required for sending soap request to PI. So do no add extra roles. The othe role SAP_XI_IS_SERV_USER could be provided to other user to be used at receiver side channel.

I know that dialog logon is prevented.

Yes, and therefore abap engine access won't be possible.

my concern is when i share the wsdl URL , it will have the host and port.Anyone can put the trailing part and easily logon and change/delete the objects (WorstCase)

If the person trying to access the URL from outside your organization network, this won't be accessible unless firewall port are opened. If it is from within the organization's network, then it should be called as breach in Information Security.

Regards,

Prateek

Show replies
Show replies
Ask a Question