cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Encrypt URL Parameter Value in Web UI

former_member184067
Active Contributor

on ‎11-26-2013 3:57 AM

0 Kudos

Dear Experts,

There is a requirement that system need to sent an email that contain URL link for the document need to be followed up. And when the user click the link, he/she will be redirect to the proper document without any log on to the system.

This requirement has been achieved but there is a problem since the value of URL parameter is sent directly without any encryption.

Below is example of URL that sent in email:

http://***/sap/crm_logon/default.htm?crm-object-type=BT115Q_SLSQ&crm-object-action=B&crm-object-valu...

Is it possible to encrypt the value for URL Parameter such as User ID and Password in SAP CRM?

Please advise.

Thanks in advance.

Regards

Eddhie Kurnianto

Show replies
Show replies
Answer
View Entire Topic
CarstenKasper
Active Contributor
‎11-27-2013 12:40 PM
0 Kudos

Hi Eddhie,

just out of curiosity: Do the persons only want to display the information or is it for editing as well?

For displaying it might be possible to include more information in the E-Mail or create a "light" version that can be accessed online.

In the latter case I would be interested in how you are planning to handle data integrity or system auditions by external auditors? I suppose this would kill any kind of traceability and authorization concept.

From a technical standpoint you could create an anonymous service that runs with SAP_ALL privileges. That way you will not need any kind of password, which is, from a security perspective, pretty much the same as a password hardcoded in a HTTP URL. Anyhow I would strongly advice you not to do this.

cheers

Carsten

Show replies
Show replies
former_member184067
Active Contributor
‎11-28-2013 2:20 AM
0 Kudos

Hi Carsten,

Thanks for the reply.

The case is the client want to give a list of tasks that need to be done by other 3rd party which don't have any user log on to SAP CRM. And the 3rd party is more than 1 person.

The client don't want to spend more for the license and they want to use sharing users for the 3rd party. 1 user for displaying and 1 user for edit.

And for displaying the information, the 3rd party no need to log on but for editing the data, the 3rd party need to log on to the system.

Since the task is more than one and all of the task need to be done in the same time, client ask to group it in one email. It is pretty hard to give more detail information for the detail of task. And there is possibility that there will be more than one list of task must be sent. This means that will be more than one email that contain list of tasks sent.

Temporary solution is create a new service with limited privileges to showing the detail information of task.

A light version is a good idea but it need development time and still need user log on to the system.

I think the best way is like what Hasan Rafiq propose, build another 3rd party web application for the handling the encryption and decryption to SAP. This idea had been proposed before I post this thread but the client refuse to have another development other SAP system.

Any idea will be appreciated.

Thanks in advance.

Regards

Eddhie Kurnianto.

CarstenKasper
Active Contributor
‎11-28-2013 8:05 AM
0 Kudos

Hi Eddhie,

thank you for your explanation. This makes the use case a lot clearer to me.

Judging from my past project experience and your scenario I would probably go by Adobe Forms for this. All you have to do install an ADS server, which is probably already in place for your CRM. Then create some Adobe offline enabled forms.

The development can be done, more or less, directly in the SAP environment using transaction SFP. Though it still is an extra installation on the developer PC called Adobe Livecycle Designer which can be downloaded directly from Service Marketplace.

After you created the form containing all the necessary and room for the needed information you could send it to the 3rd party by mail. They can then simply edit it and send it back by E-Mail to the CRM server. Suppose inbound mail is correctly set up on your system as well.

SAP provides some class libraries already for extracting the data from the recieved PDF file which can then be further processed by the usual application logic.

This way you do not need to send out any kind of SAP user/password. The changes are done with the user maintained in SAPConnect for this task.

A good idea would be to store the received mails on the transaction as otherwise the changes done by the PDFs are not traceable. The sender E-Mail address could be used as some form of authenticication. Suppose if an audit happpens this could pass the test...

Hope you got the soltuion design I pointed out here

Carsten

Ask a Question