Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

End user authorization for a Web Application in SAP Enterprise Portalp

Former Member
0 Kudos

Dear all,

I created an application using BI Web Templates that executes some queries and then after the user click on a button it executes a Process Chain in BI.

When I used my user that contains BI developer authorizations everything works fine but when a End User clicks the button in the application the Process Chain is not triggered.

I have been working with our authorization team and they have not been able to solve the End User issue, I am sure that it all relates to lack of authorizations but I haven't been able to find any information on what authorization objects the end Users need to have in order to solve the issue.

Can anyone help me on this? It have been more than 4 months and so far the security team has not been able to do anything.

Thanks in advance for your help!

Edited by: Orlando Ledezma on Sep 17, 2009 7:10 PM

1 ACCEPTED SOLUTION

sdipanjan
Active Contributor
0 Kudos

Please put the Trace ST01 on and ask the enduser to execute those steps once more. Check the trace result where the RC are not equals to 0. Then make a comparison of his user id with your's and expand those particularr objects to find out what are the values missing in his user master and available to you.

Regards,

Dipanjan

10 REPLIES 10

sdipanjan
Active Contributor
0 Kudos

Please put the Trace ST01 on and ask the enduser to execute those steps once more. Check the trace result where the RC are not equals to 0. Then make a comparison of his user id with your's and expand those particularr objects to find out what are the values missing in his user master and available to you.

Regards,

Dipanjan

Former Member
0 Kudos

Thanks a lot for your prompt reply. The problem is that I don't have the authorization to execute the trace using ST01, the security team owns that part but since they have missed the mark so far I am looking for options. I am trying to find out what standard authorization objects are needed to allow a enduser to execute a Process Chain from the Portal.

Former Member
0 Kudos

First of all, could these end users trigger a process chain directly from the ABAP system before this portal application was developed? If yes, then it is not a BI specific authorization problem but might still be a "basis" one.

How does your portal application execute the process chain?

My first guess would be that it is trying to schedule a job in the background under a foreign user ID, and this is failing on object S_BTCH_NAM for the system user.

It is not uncommon to find that this system type user account is called ALEREMOTE (but it is not mandatory) and used also for inbound RFC and internal RFC - so it could also be that the query is logging the end user onto the backend system and keeping the connection open, then within their own context they are trying to call the internal RFC destination to trigger the process that way. Here there are a number of things which need to be taken into account and it really is best to look in the system itself. Have you checked ST22 for short dumps or tried setting an external break-point and (temporarily) debugging the call from the end user side?

If you use events for executing process chains and are protecting the variants of the programs scheduled for them, then you only need the user to raise the event. If this is the case and there is nothing in ST22 dumps, then I would also have to think very hard about it to imagine an authorization issue.

Sorry, I can only speculate. If you provide more infos on the design of the application then it might give clues about the backend.

Cheers,

Julius

Former Member
0 Kudos

Thanks a lot Julius!

To answer a couple of your questions:

1) The end users were not able to execute the process chains before this application, they do not have any type of access to the backend of BI. With this application they are only allow to execute one and only process chain which is the one defined with the button on the Web Template.

2) The button in the Web Template is using the command "EXECUTE_PROCESS_CHAIN" with the name of the Process Chain assigned.

3) I doubt that it is a problem with the system user since the whole process works for me when I am in the application.

I hope this clarify a little bit more about the issue.

Former Member
0 Kudos

I am not logged on, so this is from memory - hey, what can be worse than 4 months of being logged on?

> 1) The end users were not able to execute the process chains before this application, they do not have any type of access to the backend of BI. With this application they are only allow to execute one and only process chain which is the one defined with the button on the Web Template.

So the portal application is sending the process chain ID to the backend, and the function called on the backend has to expose this to the portal. Obviously, it will make more checks than one which does not.

> 2) The button in the Web Template is using the command "EXECUTE_PROCESS_CHAIN" with the name of the Process Chain assigned.

If the user had no need to execute this process chain before via an ABAP transaction or report, then it is reasonable to expect that they cannot do it via RFC either. See my comment above about parameters being passed.

> 3) I doubt that it is a problem with the system user since the whole process works for me when I am in the application.

I still tip on this as being the problem and the execution of the processes chain itself (a program) is a different topic to opening the step in the job with a foreign user ID in it. This is also critical and I suspect that your security department don't want to hand out this authorization because the user ID has SAP_ALL.

> I hope this clarify a little bit more about the issue.

Yep, we are getting warmer.

But before you hassle the security folks further, please consider from the external application perspective the option of saving the process chain as a variant with it's data in the backend (which you are currently sending from the portal) and making it event dependent.

Then you only need to raise the event from the portal and it will only do that which it is pre-defined to do on the inside.

Cheers,

Julius

Former Member
0 Kudos

> The problem is that I don't have the authorization to execute the trace using ST01

Set an external user break-point or a terminal break-point in the ABAP code you are calling. Then run the web application.

I used to do this as an enduser as well when security told me that it is not possible.

Eventually they promoted me to the IT department -> so that is another option: Ask the end users?

Cheers,

Julius

Former Member
0 Kudos

Hi Julius,

Can you explain a little bit more how to debug this? I created the external breakpoint in the ABAP program but I can't find out how to debug the session when the execution is triggered from the portal application.

Former Member
0 Kudos

As I am not sure which program this is (the RFC call, or a program in a job step) and you are not convinced that the problem might actually be a different user ID, I would suggest using the Terminal Debugging option.

As of release 7.00 EhP1 you will see a little box called "Terminal" with a check flag. Choose that instead of specifying the user name.

Note that the user will need to be authorized for the debugger in display mode (object S_DEVELOP actvt 03 object type DEBUG) for you to be able to take over it's session in the debugger and be interactively SAPGui capable (user type = SERVICE is best to use for this).

Cheers,

Julius

Former Member
0 Kudos

Hi Julius,

Thanks a lot for all your help. Your guidance allowed me to find out that the test end user is using NXBWREMOTE to execute the process chains which is different than I use my developer user. Do you have any idea of what authorization config can be causing this?

Edited by: Orlando Ledezma on Sep 18, 2009 10:30 PM

Former Member
0 Kudos

> Your guidance allowed me to find out that the test end user is using NXBWREMOTE to execute the process chains which is different than I use my developer user.

It is more guess-work than what it is guidance, because I don't know what is going on your side.

>Do you have any idea of what authorization config can be causing this?

My guess would be that your button is first trying to open a step in a job with the RFC user in the job step, for this it checks object S_BTCH_NAM and if not successfull it uses the logged on user context to submit the program in batch mode to the background processor. In this case, the authority-checks are made against their own user not only to trigger the process chain but also to execute it.

I can understand that your security folks might not want to hand out this S_BTCH_NAM authorization as it can be very powerfull - or stated more correctly, it is as powerfull as the authorizations of the other user(s) you have foreign batch administration authority for.

I made a comment earlier in the thread about using events, and then simply raising it from your web application. This means you will have to change your web application, but the backend ABAP system security setup will be more secure and you can protect the process chain ID in the variant of the jobstep waiting for the event, so need to send less parameter data accross from your webserver to the ABAP system - also more secure.

Cheers,

Julius

Correction: It uses your own context to execute the Process Chain, if you are not authorized -> it checks authority to submit it via the internal "BW" user.

Again: Your options are to define an event, or alternately define the RFC user in an INTERNAL RFC connection. I would go for the event and tune the web app.

Edited by: Julius Bussche on Sep 19, 2009 10:54 PM