Page tree
Skip to end of metadata
Go to start of metadata

OAuth 2.0 relies on the concept of scopes to control access to resources. The resources in AS ABAP are mapped to SAP NetWeaer Gateway OData services. One OData service in Gateway is assigned to exactly one OAuth 2.0 scope. How to create a Gateway Service is out of scope for this document. In this example the activation of an OData service (ZLEAVEREQUEST) and the assignment to an OAuth 2.0 scope is demonstrated.

As the configuration in AS ABAP release 7.31 and 7.40 are different, both will be described seperately in this document.

Table of Contents:

AS ABAP 7.31 Configuration

In AS ABAP 7.31, a separate report (attached to SAP Note 1797103) is used to create an OAuth 2.0 scope for an OData service. The following steps demonstrate how to enable the OData service (ZLEAVEREQUEST) and create a OAuth 2.0 scope for this service.

1. Start transaction SPRO and click SAP Reference IMG.

2. Go to Activate and Maintain Services.

3. All configured services are listed in the Service Catalog section. Choose the Service button to open the Add Service popup.

4. Select the ZLEAVEREQUEST service from the service list. Put the required information into the popup window as shown in the figure and press OK.

Now the ZLEAVEREQUEST service is activated.

5. Make sure the ZLEAVEREQUEST is marked as active in the ICF Nodes section.

6. To assign the ZLEAVEREQUEST service to an OAuth 2.0 scope, a dedicated report is used.

Go to transaction SE38 and execute report /IWFND/R_OAUTH_SCOPES to create OAuth 2.0 scope. In Service Doc. Identifier field supply the tecnical name of the ZLEAVEREQUEST service (service name_version).  

AS ABAP 7.40 Configuration

In AS ABAP 7.40, the OAuth 2.0 scope assignment is integrated into the Gateway service maintenance UI. The OData service (ZLEAVEREQUEST) is used in this example.

1-3. The first three configuration steps are the same as in the above configuration for AS ABAP 7.31.


4. Select the ZLEAVEREQUEST service from the service list. A window will pop up for adding a service.

Put the required information like the right screenshot and select option “Enable OAuth for service” and click OK.

ZLEAVEREQUEST will be activated and the service will be assigned to an OAuth 2.0 scope.

5. If OAuth 2.0 had not been enabled while activating the service, it can be added afterwards by clicking the OAuth button.

This will enable the selected service for OAuth and will create an OAuth 2.0 scope for it.

6. A popup window gives corresponding information and asks if you want to enable this service for OAuth 2.0.

Clicking Yes will generate an OAuth 2.0 scope for this service and will replace your service's ICF handler with a handler that supports OAuth 2.0.

  • No labels


  1. Hi  Mathias,

    We are trying to replicate this scenario and cannot find the note that you are referencing. Can you please help if you have a chance?

     SAP Note 1797103

    Thank you,


  2. Former Member

    The note is released since 10.05.2013

  3. Former Member

    Nice illustration Mathias!

    Adding a service assignment to an OAuth 2.0 scope seems pretty straight forward, but removing the scope after it's been added isn't so easy.  Do you have any illustrations on how to remove the scope from a service once it's been added?  

    Thank You!

    James Bastian

  4. James,

    There is no option for removing scope assignments as no used case of removing them again is seen; they only get deleted once the service is deleted.

    Best Regards,


  5. There is a report - /IWFND/R_OAUTH_SCOPES that can be used to delete the OAuth Scope.

    Please refer to the link -

    You can get the service Identifier from the view /IWFND/V_MGDEAM.


    Chakram Govindarajan