on 11-21-2012 4:00 PM
Hi All,
I have few queries in authenticating SUP user against SAP.
a) I use Basic HTTP authentication to authenticate the user against the SAP System. I use the URL
http://SAPSERVER.DEV.COM:8000/sap/bc/ping?sap-client=200 .
Is this a right approach to authenticate the user?
b) When we create Connection to SAP we create using the RFC user, After the application is deployed and when user logs in from his mobile application,
I can still see that BAPI's (GET_PO_DETAIL) is getting executed with the RFC username not under the context of named user who logs into the mobile device. Will that means any connection from SUP to SAP will be executed under the context of RFC User?
c) If my WF application is an Server initiated then whenever a DCN updates the SUP in that case how the authentication happens? Should we have to challenge credentials again or can we reuse the values provided by user during application initial login? How should we finalize the approach.
d) If I authenticate with method (a) and if there is an passcode change or user termination at the SAP side will that be intimated to application?
Please assume that in our environment we have SAP with Gateway support and SUP running with 2.1.3. We don't have SSO in our landscape.
Thanks
-Arun
a) Basic Authentication is minimal authentication scheme in general. But depends on your IT Policy.
b) If you are using automatic registration or on-boarding then SUP user and Gateway user will be the same. So i dont see this happening.
c) There is no DCN in this case. You need to use SUP Push which requires authentication for the backend. You can refer to documentation on the user roles which are required to push to SUP. It can be Basic Authentication or Certificates.
d) If you basic authenticaion password changes application code will have to manage that. After the password change the next call will fail with an authentication error.
Regards,
Nipun
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Nipun,
Thanks for quick update. for point a,c&d i'm good. Let me elaborate further on the question (b).
let us assume that we have one named user (XYZ1) and one RFC user (RFCUSER1). my question is that when we create a connection profile we create using the RFC user (Service Account) and when we access the application from Mobile we use Named user (XYZ1). Let us assume that when a user from his mobile device search for the PO information (using the BAPI GET_PO_DETAIL) will that BAPI get executed under the RFC user or will that get executed under Named user?
Hi Jitendra,
So My understanding is as follows.
a) I Needs the RFC user will full access role (SAP_ALL) then only I would be able to execute the BAPI operations.
b) I need to modify each and every RFC in such a way that it accept the Named user and passcode as input and it validate the same before the RFC is executed. If that customization is not done then BAPI would get executed only under the context of RFC user.
Please correct me if understanding is wrong.
Thanks
-Arun
ps: Thanks for quick reply. My knowledge on SAP is very limited so please excuse if the questions are very basic.
Hi Arun,
you check with any functional (ABAPer) in your team about your access role to access any BAPI.
i guess, they dont provide the full access role (SAP_ALL).
i am having role (given bydefault) to access the BAPIs .... i never found a situation where i had to modify the RFC.
i could nt understand with your 2nd point.
Regards,
Jitendra
Hi Jitendra,
The question revolves around the statement
"that BAPi will get executed under RFC user only."
If we consider the BAPI "BAPI_PO_CREATE1". There is a structure of the name "POHEADER". This structure has an attribute "CREATED_BY". Would this be the attribute that accepts the Named User's Id which keeps track of the end user who creates this record, or would the system by default create a record as the RFC's User Id.
Thanks
-Arun
ps: Once again thanks for quick reply.
User | Count |
---|---|
86 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.