Security for web services covers several areas: authentication answers the question who is calling the web service, while authorization answers the question is the caller allowed to call the web service operation. After successful authentication of a web service call, the SOAP runtime checks authorization of a caller. Only if this check is successful, the request is processed. Otherwise the request is rejected.
Authorizations for web services are granted on an operation level. So assume your service provides two methods: a getData and a storeData method. There are two groups of callers. One group shall be allowed to call the getData operation, while the other group is allowed to call getData and setData. Solution is to set up two different roles and assign a Z_ROLE1 the operation getData and the role Z_ROLE2 the operations getData and setData.
1) When using this function, the user must not have a role assigning S_SERVICE (WS,*); i.e. SAP role SAP_BC_WEBSERVICE_CONSUMER
2) The web service is called externally, i.e. by a tool such as WSNavigator or XML Spy.
Authority checks use object S_SERVICE for executing these checks. As the names of the web service and the operation are to long for an authorization object, the web service name and operation name are hashed as <ws-name>/<operation-name>.
Assiging permission for a ws-operation to a role
When creating a role using transaction PFCG, select the web service operations included in this role by selecting button Other, select Authorization Default Values for Services and select the entry with the operation for this service