SAP Basis Tech Supports

Symptom

When you configure Web service (WS) consumer and provider objects, you notice (for example, when you use transaction SOAMANAGER) that the current SAP user does not have sufficient authorization to execute the relevant operation.
The system issues a message, such as: “Not authorized [auth.obj=..., object=..., activity=..., reason=...]“.
This message may contain one of the following reasons why the authorization check failed:
1. “No authorization found”: The current SAP user account does not have any authorization assigned to the specified authorization object.2. “Authorization found with different values”: The current SAP user account has an authorization for the specified authorization object, but with different values.
Other terms

Web service configuration
Web service authorization check
SOAMANAGER
WSCONFIG
WSADMIN
LPCOFNIG
SAP_BC_WEBSERVICE_ADMIN_TEC
SAP_BC_WEBSERVICE_CONFIGURATOR
SAP_BC_WEBSERVICE_OBSERVER
SAP_BC_WEBSERVICE_ADMIN_BIZ
Reason and Prerequisites

Beginning with the following SAP NetWeaver releases or Support Packages, new and more accurate authorization checks were introduced for the configuration in the WS environment:
SAP NetWeaver 7.03SAP NetWeaver 7.30SAP NetWeaver 7.02, Support Package 1SAP NetWeaver 7.2LSAP NetWeaver 7.20
The background of this is that it was necessary to implement suitable protection for objects of the WS configuration framework when new objects were introduced.
The authorization checks previously used in the specified code lines are mainly based on objects from the areas Internet Communication Framework (ICF) services and HTTP destinations and are not sufficient for a more accurate coordination of authorization checks in the WS environment.
Solution

The following authorization roles were enhanced to support you in assigning suitable authorizations to SAP user accounts:
SAP_BC_WEBSERVICE_ADMIN_TEC, SAP_BC_WEBSERVICE_CONFIGURATOR: These roles contain all of the new authorizations in the WS area and are intended for users who administer this area.SAP_BC_WEBSERVICE_OBSERVER, SAP_BC_WEBSERVICE_ADMIN_BIZ: These roles were enhanced with all of the new display authorizations and are intended for users who are to display, but not change, configuration objects in the WS area.
Note that these roles may already be available in your client in an old version. In this case, you can update these roles with the newest version (see the attachment to this note).
You can use transaction PFCG to display the authorizations stored in this role to check whether the existing role in your client is the new version or still the old version of the role. It is the new version of the role if it contains authorizations for the following authorization objects: S_SRT_CF_C, S_SRT_CF_P, S_SRT_DEST, S_SRT_LRD, S_SRT_PROF, S_SRT_SCEN, S_SRT_TYPE, S_SRT_UACC, and S_SRT_UASG.
Implement the authorization role that is suitable for you for those SAP users who work in the WS environment or adjust the individual authorizations contained in the role according to your requirements in your own authorization roles. If you have already assigned these roles to user accounts, use transaction PFCG to carry out a comparison. You can use the specified roles as copy templates or authorization models.
The roles contain all of the authorizations that are required for the WS configuration using transaction SOAMANAGER and transactions WSCONFIG, WSADMIN, and LPCONFIG (the latter transactions are from the SAP NetWeaver 6.40 environment).

If the roles are currently not available in your system, you can download them from the attachment to this note to a local directory, unpack them, and import them using transactionPFCG.
Proceed as follows to upload the profiles:
Log on to the SAP client in which you want to use the roles.Call transaction PFCG.In the menu, choose “Role -> Upload”, select the relevant decompressed file, and start the upload.