Solution : https://service.sap.com/sap/support/notes/1487606 (SAP Service marketplace login required)
Summary :
Unnecessary IDoc processing via HTTP or SOAP can occur due to improper activation of ICF services and insufficiently restrictive IDoc authorizations. The issue arises when either "/sap/bc/IDoc_XML" or "/sap/bc/srt/IDoc" services are enabled in SICF while users possess broad authorizations. This poses a risk, specifically under internet or intranet scenarios. To mitigate, evaluate the necessity of these services within your environment. If redundant, deactivate them via SICF. Monitor their usage via ICMan server logs in transaction "SMICM". Ensure that user authorizations in the software solutions utilizing these services are appropriately constrained. Additionally, restrict inbound IDocs using the authorization object B_ALE_RECV and its associated settings.
Key words :
/saphelp_webas620/helpdata/de/73/b5f99d019f11d5991400508b6b8b11/content, /saphelp_webas620/helpdata/en/73/b5f99d019f11d5991400508b6b8b11/content, additional application-specific authorization checks, application function modules assigned, simple object access protocol, internal user performs processing, symptom idoc inbound processing, http idoc inbound processing, idoc data takes place, /sap/bc/srt/idoc
Related Notes :
1504652 | |
1487928 | Authorization check in HTTP IDoc inbound processing |
1394100 | Security note: Access to RFC-enabled modules via SOAP |
1394093 | Collective Security Note |
626073 | Unreleased Internet Communication Framework services |
93254 | RFC short dump RFC_NO_AUTHORITY |
40689 |