This howto describes the steps to limit access to an ITS based service for a specific group of users.
Many administrators of a SAP system want to limit the group of users who can call an ITS based service. By default if an administrator activates an ICF service like webgui, anyone with valid SAPuser credentials can logon to the SAP system. The Internet Communication Framework ICF provides a feature to limit the users who can call a specific service. In transaction SICF you can customize a specific SAP authorization which should be checked if a user logs in to the service. To do this start transaction SICF go to the service for which you want to limit the access and double click on it. You will see the following screen:
The interesting field is SAP Authoriz. In this field you can enter a string i.e. WEBGUI. The ICF checks against the authorization object S_ICF which has the field ICF_FIELD. To restrict users from login with webgui you should remove the authorization for S_ICF in your standard roles using transaction PCFG. Then you should create a second role which only contains the authorization for authorization object S_ICF. Set the field ICF_FIELD of S_ICF to the string WEBGUI, which we have used in our example above in transaction SICF. With SU01 you can now assign your new role which allows to call the service WEBGUI to your users. A user which does not have assigned this role will receive this error message:
Details can be found in the SAP Netweaver 7.0 Documentation:
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/36/020d3a0154b909e10000000a114084/frameset.htm
under
Components of SAP Communications Technology
Communication Between ABAP and Non-ABAP Technologies
Internet Communication Framework
Development
Server-Side Development
Creating and Configuring an ICF Service
Creating a Service
Defining Service Data