cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SUP SAP Authentication.

Go to solution
Former Member

on ‎11-21-2012 4:00 PM

0 Kudos

Hi All,

      I have few queries in authenticating SUP user against SAP.

a)    I use Basic HTTP authentication to authenticate the user against the SAP System. I use the URL

http://SAPSERVER.DEV.COM:8000/sap/bc/ping?sap-client=200 .

Is this a right approach to authenticate the user?

b) When we create Connection to SAP we create using the RFC user, After the application is deployed and when user logs in from his  mobile application,
I can still see that BAPI's (GET_PO_DETAIL) is getting executed with the RFC username not under the context of named user who logs into the mobile device. Will that means any connection from SUP to SAP will be executed under the context of RFC User?

c)    If my WF application is an Server initiated then whenever a  DCN updates the SUP in that case how the authentication happens? Should we have to challenge credentials again or can we reuse the values provided by user during application initial login? How should we finalize the approach.

d)    If I authenticate with method (a) and if there is an passcode change or user termination at the SAP side will that be intimated to application?

Please assume that in our environment we have SAP with Gateway support and SUP running with 2.1.3. We don't have SSO in our landscape.

Thanks

-Arun

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member206242
Active Participant
‎11-21-2012 9:18 PM
0 Kudos

a) Basic Authentication is minimal authentication scheme in general. But depends on your IT Policy.

b) If you are using automatic registration or on-boarding then SUP user and Gateway user will be the same. So i dont see this happening.

c) There is no DCN in this case. You need to use SUP Push which requires authentication for the backend. You can refer to documentation on the user roles which are required to push to SUP. It can be Basic Authentication or Certificates.

d)  If you basic authenticaion password changes application code will have to manage that. After the password change the next call will fail with an authentication error.

Regards,

Nipun

Show replies
Show replies
Former Member
‎11-22-2012 6:48 AM
0 Kudos

Hi Nipun,

        Thanks for quick update. for point a,c&d i'm good. Let me elaborate further on the question (b).

let us assume that we have one named user (XYZ1) and one RFC user (RFCUSER1). my question is that when we create a connection profile we create using the RFC user (Service Account) and when we access the application from Mobile we use Named user (XYZ1). Let us assume that when a user from his mobile device search for the PO information (using the BAPI GET_PO_DETAIL) will that BAPI get executed under the RFC user or will that get executed under Named user?

Jitendra_Kansal
Product and Topic Expert
Product and Topic Expert
‎11-22-2012 7:21 AM
0 Kudos

Hi Arun,

that BAPi will get executed under RFC user only.

coz role of XYZ1 user is to connect your device to SUP server only.

Regards,

Jitendra

Former Member
‎11-22-2012 8:52 AM
0 Kudos

Hi Jitendra,

          So My understanding is as follows.

a) I Needs the RFC user will full access role (SAP_ALL) then only I would be able to execute the BAPI operations.

b) I need to modify each and every RFC in such a way that it accept the Named user and passcode as input and it validate the same before the RFC is executed. If that customization is not done then BAPI would get executed only under the context of RFC user.

Please correct me if understanding is wrong.

Thanks

-Arun

ps: Thanks for quick reply. My knowledge on SAP is very limited so please excuse if the questions are very basic.

Jitendra_Kansal
Product and Topic Expert
Product and Topic Expert
‎11-22-2012 9:50 AM
0 Kudos

Hi Arun,

you check with any functional (ABAPer) in your team about your access role to access any BAPI.

i guess, they dont provide the full access role (SAP_ALL).

i am having role (given bydefault) to access the BAPIs .... i never found a situation where i had to modify the RFC.

i could nt understand with your 2nd point.

Regards,

Jitendra

Former Member
‎11-22-2012 12:14 PM
0 Kudos

Hi Jitendra,

            The question revolves around the statement

"that BAPi will get executed under RFC user only."
If we consider the BAPI "BAPI_PO_CREATE1". There is a structure of the name "POHEADER". This structure has an attribute "CREATED_BY". Would this be the attribute that accepts the Named User's Id which keeps track of the end user who creates this record, or would the system by default create a record as the RFC's User Id.

Thanks

-Arun

ps: Once again thanks for quick reply.

former_member206242
Active Participant
‎11-23-2012 4:23 AM
0 Kudos

BAPI is executed in context of RFC user.

If you are using Gateway you can use the same user across and in turn the same GW user can be used from the mobile application.

It is not at all always necessary that mobile user and backend user is different. They can be maintained same.


Regards,

Nipun

Jitendra_Kansal
Product and Topic Expert
Product and Topic Expert
‎11-23-2012 4:32 AM
0 Kudos

Hi Arun,

for my understanding,

CREATED_BY would be the same as SAP logon ID ( the same id with person have logged on to access that BAPI).

Regards,

Jitendra

Answers (0)

Ask a Question