Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to enable an OData V4 service for anonymous access?

Andre_Fischer
Product and Topic Expert
Product and Topic Expert
‎03-19-2024 8:57 PM

Introduction

This requirement stems from a customer that asked how to publish an OData V4 service in an SAP S/4HANA on premise system such that it could be used on a public web site without the need to provide any authentication.

With OData V2 this requirement can be achieved more easily since here every service has it's own SICF node where it would be possible to store credentials just for this service.

In OData V4 we have only one SICF node, namely /sap/opu/odata4/.

This is obviously a problem since there is no service specific node available in SICF.

Solution

The problem can be solved using the following approach.

  1. Create a role that only contains the S_START authorization for the one single OData V4 service we want to publish , 
    help.sap.com/doc/saphelp_nw75/7.5.5/de-DE/c6/dd838722ce4b8d9cc4a0741d93d864/frameset.htm
  2. Create a technical user that has only the authorization to access the single OData V4 service we want to make accessible.
  3. Create an alias in SICF for the node /sap/opu/odata4/ 
  4. Store the credentials of the aforementioned user in the alias
  5. Test the service  

Result

As we can see accessing the service zrap630ui_shop_o4_05a via the alias zodatav4 works.

https://10.79.21.221:44301/sap/opu/zodatav4/sap/zrap630ui_shop_o4_05a/srvd/sap/zrap630ui_shop_o4_05a...

100_test_service_1.png

Whereas accessing a second OData V4 service zrap630ui_shop_o4_05b via the alias zodatav4 does NOT work

110_test_service_1.png

This has been achieved by assigne the follwoing role the technical user which only contains the authorization to start the first service based on the authorization object S_START.

Please note:
Since OData V4 service use the authorization object S_START which is based on the service name it would for example be possible to publish several services that are in the same name range like

zrap630ui_shop_o4_05A, zrap630ui_shop_o4_05B, ... zrap630ui_shop_o4_05Z,  

120_role_2.png

How to section

Create the role

Using PFCG and the role template /IWBEP/RT_MGW_USR we create a role as shown in the screen shot above that only contains the S_START authorization of one OData V4 service called ZRAP630UI_SHOP_O4_05A.

120_role_1.png

Create the user

As a user we create a technical user whose credentials will be stored in the system alias.

130_technical_user.png

Create the system alias

1. We start by right-clicking on the node opu and choose New subelement.

010_Create_Alias.png

2. We create a new service element called ZODATAV4_2 and choose the option Alias to an existing service.

020_create_alias.png

3. We choose the tab Target, select the node OdataV4 by double-clicking on it.

030_create_alias.png

4. We navigate to the tab Logon Data, choose Alternative Logon Procedure and enter the credentials of our service user.

050_create_alias.png

5. We navigate down and remove all logon procedures beside Logon using service data.

060_create_alias.png

6. Do not forget to activate the link in SICF.

070_create_alias.png080_create_alias.png

7. Check the result

090_create_alias.png

 

 

 

 

Labels in this area
Popular Blog Posts