Wednesday, September 23, 2009

Authorization For Web Services and Security

Standard Roles

SAP_BC_WEBSERVICE_SERVICE_USER

Role for background users of the Web service runtime

SAP_BC_WEBSERVICE_ADMIN_TEC

Role for technical administrator of Web services

Monitoring sequences, messages, logging, tracing

Monitoring of payload for component SAP_BASIS

Administration of tracing and logging, RFC

Defining, executing Web Services

Administration of the Internet Communication Framework

Administration of the RFC destination

Administration of the Task Watcher and the Event Handler

SAP_BC_WEBSERVICE_ADMIN_BIZ

Roles for the Business Administrator

SAP_BC_WEBSERVICE_CONSUMER

Web Service user

SAP_BC_WEBSERVICE_OBSERVER

User role for viewing all information on Web Services

SAP_BC_WEBSERVICE_DEBUGGER

With debugging authorization

SAP_BC_WEBSERVICE_ADMIN

Administration authorizations for Web Services in AS ABAP, out of date, but still valid

Assigning Authorizations to Users

To assign such authorizations for special Web services, proceed as follows:

...

1. In the role maintenance transaction (transaction PFCG), enter the name of a role, and then choose Change.

2. Under the Menu tab, choose Other.

3. Choose the radio button Authorization Defaults for Services.

4. Enter a name for the service. In the Type of Ext.Service field, choose the WS value. In the Service field, choose the required Web service.

5. Save your entry.

Tuesday, September 22, 2009

SOA Manager

You can use the SOA Manager to administer and configure service providers and consumer proxies for a local system.

This graphic is explained in the accompanying text.

Communication Between a Consumer Proxy and a Provider Proxy

Communication between the service consumer and the service is established between the consumer proxy’s logical port the provider proxy’s endpoint. To access a particular service endpoint, a service consumer with a particular runtime configuration sends a call using a logical port.

The logical port of the service consumer contains a reference to the unique address (URL) of the service’s endpoint on the provider system. The logical port also contains the authorization needed to call the service methods.

Note

A logical port can send a call to only one service endpoint. However, a service endpoint can be called through more than one logical port.

End of the note.

Prerequisites

  • The service and proxy definitions that you want to configure are available as development objects in the back-end system.

  • You have Administrator authorization.

    For more information, see: Authorizations

Procedure

To set up the SOA Manager for local access, you do not need to perform any special steps.

To start the SOA Manager, use the transaction code SOAMANAGER:

Note

To work with the central SAP NetWeaver Administrator from within the SOA Manager, you first need to assign a host and a port.

  1. Go to the Technical Configuration tab.

  2. Choose System Global Settings.

    An overview if configuration information is displayed.

  3. Go to the Central WS Administration Access tab.

  4. Choose Edit / Display.

  5. Specify the host of the central NetWeaver Administrator and the HTTP port number used by the NetWeaver Administrator.

  6. Save.

SOAP Framework

Purpose

The SOAP Framework enables you to create and use Web services based on the SOAP protocol.


The development of the Web Service Framework has resulted in significant changes and enhancements being made to Web Services for ABAP between SAP Web AS Release 620 and Release 640. Since these enhancements could not be realized with the existing SOAP architecture, SOAP Runtime 620 was replaced by the SOAP Framework from Release 640.

If you used SOAP Runtime for Web services in 620, we recommend that you use the Web Service Framework to create these services again. This will enable you to implement the enhanced and easier to use functions available in the Web Service Framework.

Features

The following Web service functions have been added in Release 640:

· You can create Web services that are based on function modules, function module groups, BAPIs, and XI messages.

· You can generate a proxy for each Web service.

· You can use new authorizations to activate and administer Web services:

¡ Role = SAP_BC_WEBSERVICE_ADMIN

· Each Web service is represented as a separate ICF service in the Internet Communication Framework, with the accompanying wide range of options (authorizations, logon checks, and so on).

· You can publish all Web services in a shared directory (UDDI).

· You can use transaction WSADMIN for the easy handling of all administration tasks for Web services.

Restrictions

The following constraints apply when you use SOAP Framework 640:

· The SOAP Actor concept is not supported. The receiver side always adopts the role of the ultimate receiver, This means that no intermediaries can be realized in the context of SOAP.

· The optional use of SOAP encoding (section 5.1 of the SOAP specification) is not available. Although the representation of data in the SOAP Runtime is very similar to SOAP encoding, some of the required points, such as support for array types, are missing.

· No attachments: The specification SOAP with Attachments for transporting SOAP calls that use MIME documents with attached binary elements (such as JPEG pictures) is not supported.

· Only HTTP transport: Only HTTP (and HTTPs) is available for SOAP transport binding. Other protocols, such as SMTP, are not supported.

Creating Web Services

In Release 620, the following steps were required to create a SOAP-based Web service and an accompanying Web Service Description (WSD):

  1. Create a function module that can run remotely.
  2. Start the Web service browser.
  3. Find the function module and generate a WSDL, or
  4. Put function modules into groups and generate a common WSDL.

In the Web Service Framework, you can create Web services manually or by using an assistant:

· Manual:

1. Create a virtual interface for RFCs, function groups, or BAPIs (transaction SE80).


You can set name handling to uppercase or mixed case. Check which applies to you.

2. Create a Web service definition (transaction SE80).

3. Activate and configure a Web service based on a WSD (transaction WSCONFIG).