on 01-25-2020 2:17 AM
Dear SAP experts,
In our SAP PO (7.5), some new B2B integrations are needed. The scenarios will be synchronous calls External WS (SOAP) --> SAP PO --> SAP
We're evaluating having a site2site VPN with the partner so that once authenticated they can call our SAP PO through regular SOAP calls.
However, we're concerned this could be a security issue as, once authentication, they could call any other SAP PO soap interface just by using the interface URL. I know that we can use Assigned Users in the Business System to restrict that interface to only be used by a specific service ID (the same can be done at interface level, in the ICo). But this doesn't help with the security vulnerability, since the other interfaces won't have any restriction in their Assigned Users tab, so that ID can still run other A2A interfaces once authenticated through the VPN.
The only alternative would be adding all possible user IDs to all other interfaces, so that this specific ID wouldn't be allowed to run any other interface - that's not acceptable for us due to the huge number o existing interfaces. SAP confirmed in OSS that this is the only way to use Assigned Users feature.
Can we enhance the ACL (Access Control List, the component where the Assigned Users are stored) so that it not only works as a white-list, but mainly as a blacklist?
Has anyone any suggestion on how to overcome this (imho, very basic) security issue?
I've read these help content/SAP notes, which only confirms what I just stated:
- 852237 - Extended authorization concept of the XI runtime
Thanks!
Maybe a possible solution for your problem is the non-central Advanced Adapter Engines (non-central AAEs) installed in a DMZ.
Their B2B interfaces would have the communication channel running on the external adapter, which would be in a DMZ, isolating their B2B partners from the other interfaces.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for your suggestion... that would help, indeed. I will investigate more on this - would you have more info about how I could have a second non-central AAE in the DMZ?
Wouldn't a web dispatcher work better in that case as it's url filtering capability?
I was more interested in a solution within the app layer, but if that's not achievable within app layer, I'll start evaluating other alternatives.
In your case, the non-central Advanced Adapter Engines would really make more sense.
I found the link below that explained a little better about it, see if it makes any sense for your scenario:
ttps://help.sap.com/doc/saphelp_me151/15.1.3VERSIONFORSAPME/en-US/48/d11280b4073254e10000000a42189b/content.htm?no_cache=true
You can restric the acces for a pre-defined user insed the respective user tab in your Integrated Configuration, inside this tab you can insert only the users authorized to use this interface.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
74 | |
9 | |
8 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.