Authorization Object S_ICF_ADM

Definition

This object includes authorization checks for accessing individual virtual hosts, services, and aliases in the Internet Communication Framework.

Use

You can use this authorization object to restrict administration access to various elements of the Internet Communication Framework. You can apply these restrictions to virtual hosts, services (service nodes), and aliases.

Structure

Authorization Object S_ICF_ADM

Field

Meaning

Values

ACTVT

Activity

01: Create 

02: Change 

03: Display 

06: Delete 

07: Activate 

ICF_HOST

Virtual host

<Name of the virtual host>

ICF_NODE

GUID

of an ICF service or alias

<GUID of the service or the parent node>

ICF_TYPE

ICF element

Alias (external alias)

Host (virtual host)

Node (service, internal alias)

Integration

Since virtual hosts, services, internal aliases, and external aliases are organized in a hierarchical structure, you can specify the authorizations for creating and editing individual elements at different levels. You can grant an authorization for a specific element or for a higher-level node. Using this procedure, you can grant users the authorization to maintain all elements below this node.

You specify either the element’s NODGUID or the element’s PARGUID as the value of the particular element. The NODGUID is the GUID of the node itself; the PARGUID is the GUID of the direct parent node or a higher node.

Since the NODGUID is not generated until an element is created, it makes sense to grant the authorization for this activity to the next highest node (and therefore all underlying elements).

Virtual Host (ICF_HOST)

Here you specify the name of the virtual host that you want to create or under which you want to create a service or alias.

Service, Internal Alias, or External Alias (ICF_NODE)

Here you specify either the NODGUID of the specific service or the PARGUID (the NODGUID of the parent node).

If you use the role maintenance transaction (transaction PFCG) to create authorization data, you can find the value for this field by using  Change to select the required service or service node from the service hierarchy. The appropriate GUID is then copied to the value field automatically.

Since the NODGUID is not known until the specific service is created, you require the NODGUID of the parent node. You can also specify the NODGUID of higher level parent nodes.

ICF Element Type (ICF_TYPE)

Here you can select the ICF elements (virtual host, service/internal alias, external alias) you want the authorization to apply to.

Example

You want to grant a user the authorization to create, change, and delete services on the host myhost and under the path /sap/bc. To do this, you need to specify the following:

PARGUID

NODGUID

myhost

00815

00816

sap

00816

00817

bc

00817

00818

service_new

00818

00819

This service needs to be created; the NODGUID is unknown until this service exists.

       1.      The user wants to create a new host (myhost). The user also wants to be able to change and delete this host.

ACTVT

ICF_HOST

ICF_TYPE

01, 02, 03

myhost

Host

       2.      The user wants to create a new service (service_new) (the NODGUID of the new service is not yet known):

When you make this setting, you enable multiple services or entire subtrees to be created under the path /sap/bc.

ACTVT

ICF_HOST

ICF_NODE

ICF_TYPE

01

myhost

00818

Node

       3.      The new service (service_new) has been created. The user must only be allowed to change or delete this service.

ACTVT

ICF_HOST

ICF_NODE

ICF_TYPE

02, 06

myhost

00819

Node

       4.      If you want to allow the user to change and delete any services under /sap/bc, enter the NODGUID of bc (here, 00818) instead of 00819.

If you want the authorization to apply to all elements below the path /sap, enter 00817 for the service.

ACTVT

ICF_HOST

ICF_NODE

ICF_TYPE

02, 06

myhost

00818

Node