Skip to Content
Aug 29, 2017 at 08:52 AM

Securing OData calls to C4C


Hey community,

tl;dr: How do I limit the scope of OData calls to C4C?

when implementing an HTML5 application connected to an Identity Provider (IdP) that consumes data from SAP Cloud for Customer using OData, I stumbled upon the issue of authentication. Specifically, I was wondering how to limit the access scope.

This is what I am trying to prevent from happening: When I set up a destination and use it from my application, all JavaScript calls from there can access all OData services. So say, my application is about managing tickets. A malicious user (who has access to my application via the IdP, I want him to have access to the tickets after all) can suddenly type this into him browser's developer console and also access my phone records:

url: "https://<my-app>/c4c/sap/c4c/odata/v1/c4codata/PhoneCallCollection",
type: "GET",
success: function (d) { console.log(d); }

Any way to prevent this?

For SOAP calls ("web services"), it's possible to set up certain Communication Systems and pair them with so-called Communication Scenarios (such as creating a ticket) into Communication Arrangements. This then creates a technical user with user/password or certificate authentication whose privileges are limited to the very use case described in the arrangement. It can only use the CreateTicket web service, nothing else. Does something similar to that exist for OData as well?

Now, according to documentation, one can authenticate to OData using

  1. Basic authentication (username/pw) using business users
  2. OAuth 2.0 authentication - this allows for some scoping as I've seen in the UI. What I'm not clear about, however, is, how these scopes can be narrowed down to certain workcenters, OData services or OData entities. Is there any documentation for this or can somebody explain to me how to achieve a similar effect as with the communication arrangements?

So what I could do of course is use Principal Propagation from my IdP, but for that, each and every one of my users would need to have a C4C business user which would need to be set up, maintained and paid for. For this narrow use case, this strikes me as overkill.

During my research, I had a look at SAP's Partner Channel Management (PCM) and how they set it up there. I saw that, according to the official instructions, they also use plain OAuth. I tried it out and discovered that this causes a quite severe security issue, if you ask me, as it opens the door for attacks as I have outlined above. This screenshot here demonstrates how I used my installation of PCM to access data that wasn't intended to be access with this application: pcm.png

Now, what am I missing here? Is there any way I can limit the scope of such calls without using business users?

Thanks a lot in advance,



pcm.png (117.9 kB)