Skip to Content
Jan 25, 2020 at 02:17 AM

How to restrict external B2B user to run SAP PO A2A internal interfaces?


Dear SAP experts,

In our SAP PO (7.5), some new B2B integrations are needed. The scenarios will be synchronous calls External WS (SOAP) --> SAP PO --> SAP

We're evaluating having a site2site VPN with the partner so that once authenticated they can call our SAP PO through regular SOAP calls.

However, we're concerned this could be a security issue as, once authentication, they could call any other SAP PO soap interface just by using the interface URL. I know that we can use Assigned Users in the Business System to restrict that interface to only be used by a specific service ID (the same can be done at interface level, in the ICo). But this doesn't help with the security vulnerability, since the other interfaces won't have any restriction in their Assigned Users tab, so that ID can still run other A2A interfaces once authenticated through the VPN.

The only alternative would be adding all possible user IDs to all other interfaces, so that this specific ID wouldn't be allowed to run any other interface - that's not acceptable for us due to the huge number o existing interfaces. SAP confirmed in OSS that this is the only way to use Assigned Users feature.

Can we enhance the ACL (Access Control List, the component where the Assigned Users are stored) so that it not only works as a white-list, but mainly as a blacklist?

Has anyone any suggestion on how to overcome this (imho, very basic) security issue?

I've read these help content/SAP notes, which only confirms what I just stated:


- 852237 - Extended authorization concept of the XI runtime