cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP PI - fi operations - security concerns

Go to solution
Former Member

on ‎10-28-2015 8:39 AM

0 Kudos

Hello,

We are working on a project, where  we will pull data about our customer transactions from Bank, through PI to SAP IS-U. PI and IS-U are inside our LAN Network. Web service provided by Bank except operations which allow to pull history data like statements etc. have also operations like transfer, international transfer etc.

Connection beetwen bank and PI is secured (certificate will be loaded on PI), connection between PI and IS-U isn't but it is inside LAN. But our architect has security concerns and he recommended a separate PI for FI operation only where limited number of people have access.

Is there any way to achieve same goal without using second instance of PI, for example by using roles, etc...

I would be very grateful for your opinions.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

engswee
Active Contributor
‎10-28-2015 8:44 AM
0 Kudos

Hi Marcin

If the security concern is related to viewing of payloads, you can restrict the contents by using custom roles as mentioned in the blog below.

Rgds

Eng Swee

Show replies
Show replies
Former Member
‎10-28-2015 9:57 AM
0 Kudos

The concern is also that since certificate for connection with bank web service will be loaded, someone within the company might use FI operations like transfer, international transfer ?

Since we never plan to use those operations could we restrict access to them on PI level ?

Former Member
‎10-28-2015 10:32 AM
0 Kudos

First of all this should be restricted at ERP end with AUTH OBJECTS.

For that particular ICO, you can assign users who are allowed to access the configuration during runtime.Check your sender agreement or ICO for 'assigned users' tab.

Moreover if you are not implementing a particular operation how can a end user even trigger that operation.

I will also check if this can be restricted using any actions.

engswee
Active Contributor
‎10-30-2015 1:46 AM
0 Kudos

Can you elaborate further?

Do you want to restrict certain developers access to the definition of the web service?

Or do you want to restrict end users from triggering the web service?

Answers (2)

Answers (2)

Former Member
‎10-28-2015 9:46 AM
0 Kudos

Hi Marcin,

I am sure the access needs to be restricted to the payload, so as Eng suggested deploy the "role" file and assign this new role only to qualified users.

Also you may want to use Message level encryption for these particular interfaces.

An additional security aspect which you can use if you are on 7.31+ is to use the "Sensitive Data" option on your interface.This stores the encrypted data in DB.

BR,

Harish

Show replies
Show replies
former_member186851
Active Contributor
‎10-28-2015 8:46 AM
0 Kudos

Hello Marcin,

you can restrict access to particular objects like SWCV in PI.

In your case it can be restricted to Banking SWCV and related objects

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/a005629b-c063-2910-0fb8-f57dc68ab...

Show replies
Show replies
Ask a Question