When you configure Web service (WS) consumer and provider objects, you notice that the current SAP user does not have sufficient authorization to execute the intended WS configuration operation.
The system issues a message, such as: "Not authorized [auth.obj=..., object=..., activity=..., reason=...]".
This message may contain one of the following reasons why the authorization check failed:
1. "No authorization found": The current SAP user account does not have any authorization assigned to the specified authorization object.
2. "Authorization found with different values": The current SAP user account has an authorization for the specified authorization object, but with different values for the fields of the specified authorization object.
Web service configuration
Web service authorization check
Authorization checks
Authorization roles
SAP_BC_WEBSERVICE_CONFIGURATOR
In your SAP NetWeaver (NW) releases or in certain Support Package levels, new and more accurate authorization checks were introduced for the configuration in the WS environment.
The background of this is that it was necessary to implement specific protection for objects of the WS configuration framework when new WS configuration objects were introduced.
The WS framework that was already introduced in the source code line of SAP NetWeaver 6.40 is mainly based on objects from the ICF services and HTTP destinations areas; it is not adapted sufficiently for accurate co-ordination of authorization checks in the WS environment or new configuration objects are not protected sufficiently.
The NetWeaver basis release that you use is either Version 7.02 or 7.20 or higher. In earlier versions, no additional authorization checks are carried out in transaction SOAMANAGER.
To support you when you assign suitable authorizations for the ABAP WS configuration for SAP user accounts, (among other things) the new authorization role SAP_BC_WEBSERVICE_CONFIGURATOR was created or enhanced.
The role contains all authorizations that are required for the WS configuration vie transaction SOAMANAGER, as well as transactions WSCONFIG, WSADMIN, and LPCONFIG. The latter transactions are obsolete and originate from the SAP NetWeaver 6.40 environment. As of SAP NetWeaver Version 7.00, these transactions should no longer be used for WS configurations.
Note that this role may already be available in your SAP client in an old version. In this case, you can update this role with the authorizations of the newest version (see the attachment to this note). In addition, this role is also provided via an SAP NetWeaver Support Package.
You can use transaction PFCG to display the authorizations stored in this role to check whether the existing role in your SAP client is the new version or is still the old version of the role. It is the latest version of the role if it contains authorizations for the following authorization objects: S_SRT_CF_C, S_SRT_CF_P, S_SRT_DEST, S_SRT_LRD, S_SRT_PROF, S_SRT_SCEN, S_SRT_TYPE, S_SRT_UACC, S_SRT_UASG, and S_SRT_SR_P.
Implement the authorization role that is suitable for you for those SAP users who perform configurations in the SAP ABAP WS environment, or adjust the individual authorizations contained in the role according to your requirements in your own authorization roles. You can use the specified role as a copy template or an authorization model.
If you have already assigned the role or copies of it to user accounts, after you upload the role or populate it via a relevant SAP Support Package, you must perform an adjustment in the user accounts. You can use transaction PFCG to upload the role and to adjust the user accounts. For more information about using transaction PFCG, see the SAP documentation (available for each SAP NetWeaver source code line at http://help.sap.com).
Header Data
| |
Released On | |
Release Status | |
Component | |
Priority | |
Category | |
Validity
|
SAP_BASIS | 640 | 640 | | 701 | 702 | | 710 | 730 | |
|
Support Packages & Patches
Support Packages |
---|
|
SAP_BASIS | 701 | | 702 | | 702 | | 702 | | 711 | | 720 | | 720 | |
|