Skip to Content
avatar image
Former Member

Calling BSP in a Role -

Hi Experts,

We are in the process of intergration SAP SRM 5.0 and SAP GTS systems. We would like to call a custom BSP page in GTS system via role a custom role defined in SRM system. Also while calling we would like to pass end users userid as the parameter to GTS system BSP page to process further processing the information and do a look up.

Can you please help me out how to call the BSP pages across the systems and also what paramter id to use to pass the userid parameter to GTS system.

We are very close to go-live and please help me out to find a solution.

Thanks in advance.

Vijay.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Sep 15, 2010 at 07:37 PM

    Go to PFCG create a role & description in the ABAP (GTS) system

    go to menu tab in change mode, click "other" search option to choose BSP applications

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Franklin,

      Vijay has stated that the BSP itself is called with a hardwired system user in the ICF (Internet Communication Framework -> transaction SICF).

      In the BSP, some user specific data is to be displayed or updated or whatever (otherwise the user context wouldn't matter, right?)

      So... he wants to pass the Portal user ID name (or an alias for it) to the backend system as a remotely exposed import parameter of the URL, which will then execute it user dependently.

      The consequence is.... I could call myself Franklin and you could call yourself Julius, and Martin could call himself Darth Vader if he wanted to.... 😊 The BSP would not know the difference if called from the portal (or elsewhere?)

      You could try to have very tight control on the portal side but it is still a bad design in my books to expose such import parameters such as user names, or the famous "auth_check = ' ' ".

      In ABAP it is also possible to use the AUTHORITY-CHECK ... FOR USER ... construct which is similar but local. If the external caller can specify the user ID against whom the check should be perform, they can do anything which the program permits with any authorizations they happen to know the corresponding user ID for.

      Not a good idea...

      ---> hence it depends on what this BSP does. Any coding error in it could easily lead to a further escalation of privildges.

      Cheers,

      Julius

      Edited by: Julius Bussche on Sep 17, 2010 10:08 PM