问题
I know how to enable Communication Systems, -Arrangements and so on in S/4HANA Cloud Essentials to communicate with OData APIs. I like the process here.
Now I have an S/4HANA Single Tenant Edition, that behaves more like an OnPrem System. I did not realy find a guide how to set up communication to consume APIs from SCP. Seems like people are using a Standard User with Basic Auth what seems a bit unsecure.
Is there the same concept with communication system and arrangement in S/4Hana onPrem or STE? Alternatively how to consume APIs without using standard users? What is best practice here? Is there an OAuth Server for example?
Thank you in advance!
回答1:
First point about authorizations: it is recommended to create custom granular roles for each task and not by template, like you want.
To guess which authorizations are needed for which app, go to Fiori Apps Library and find target app, then go to the bottom and you will see a list of business-catalogs and by clicking on business-catalog you can see which operations it allows doing. Quite thoroughly the process of picking and assigning roles is described here.
Second point about authentication: the best and the most flexible way of consuming S4HANA API is to use business-user you created on the previous step. Here is a breakdown between using tech and business users and why you shouldn't use the latter:
So the SAP-recommended way of authenticating to S4HANA is business-user with granular permissions and OAuth2SAMLBearerAssertion authentication.
The process is multi-step and requires:
- Setup SAP Cloud Identity provider with your local app, get key pair
- Register SAP Cloud Identity Tenant to your local provider and vice versa
- Download certificates
- Create communication user in S4HANA, it is required for access to S4H endpoint and getting OAuth access token
- Create communication channel, communication agreement and HTTP endpoint in S4HANA
- Maintain business user (you created before) in the SAP Cloud Identity
Read about the process in more detail here
https://blogs.sap.com/2018/02/05/deep-dive-8-with-sap-s4hana-cloud-sdk-leverage-principal-propagation-via-oauth-2-when-consuming-a-business-api-from-s4hana-cloud/
来源:https://stackoverflow.com/questions/61602566/how-to-securely-consume-apis-in-s-4hana