SAP Adapter 3.6: [B2BSERV.0084.9004] Access Denied

Hi,

I’m running SAP Adapter 3.6 on webMethods B2B server 4.02 to interface to SAP R/3 4.6c

I have been able to setup WM with the SAP server, listener and verified the connection is working. Similarly in SAP, using transaction SM59, I am able to test that RFC destination is OK.

However, when trying to outbound an IDoc from SAP to WM Routing Manager, there’s no response from WM. I’ve verified that the routing entry is setup correctly in WM.

Using SM58 to check the TRFC status, I note that there’s an error generated from the WM server:

[B2BSERV.0084.9004] Access Denied

However when I use SAP Business Connector 4.6 to do the same, there’s no such problem. A routing entry is created in WM automatically and once I fill up the incomplete entry, the IDoc is routed to my XML destination.

Anyone can offer any clues as to what the problem is?

Thanks.

We had similar problem, This problem comes because of ACL settings. The SAP adapter forwards transaction to WmPartner routing rule with default user as ‘SAPUser’. But your B2B 4.0.2 will not be having the user by default, you have to create this user and set appropriate group , And make sure SAPUser have access to execute your flow service.

I think this problem doesn’t raise when you use SAP4.01 adapter.

hope this hint helps you.

Hi umashanker,

Thanks for the tip but unfortunately the same problem remains.

I’ve created a new user ‘SAPUser’ with no password and assigned to a newly created group ‘SAPGroup’. I’ve created a new ACL ‘SAP’ with ‘SAPGroup’ in this ACL.

I’ve finally changed the ACL Control for the routing rule to use the ACL ‘SAP’. I’ve verified using the B2B integrator that the particular service in question wm.PartnerMgr.flows.SENDER.RECEIVER:MESSAGE uses the ACL ‘SAP’. “Enforce ACL on internal invokes” is set to off (default).

Am I missing something? Please advise.

Thanks!

Hi,
I am getting a similar error at my end. Here is the exact background to the problem.

We have WebMethods IS 4.6 running that connects to our SAP R/3 system using the SAP Adapter. ( Webmethods is on a linux platform and SAP R/3 runs on HP UNIX).

We have configured IDOCs to be posted from SAP to our IS through the SAP Adapter and vice versa.

The IDOCs coming into SAP go through without any issue. But the IDOCs that are sent to the Adapter are creating a major issue. We are posting the IDOCs using the FM “IDOC_INBOUND_ASYNCHRONOUS”. The partner profile has been configured to post the IDOCs immediately to the adapter. All the relevant routing rules have been created and they are active.

The problem i am facing is that my tRFC queue is building up for the outbound IDOCs in SAP. When i execute the same using SM58 - Execute LUW (F6), i am getting the following error.

RfcAbort: CheckTID fault: [B2BSERV.0084.90 Access Denied

But after some time and repeated attempts, these entries in the queue get executed. Moreover there are a lot of jobs of the type ARFC: that are in the released state when i check the transaction SM37. These take a lot of time to finish and are hogging my background job processes at SAP end. The system setting for the SM58 transaction is set to check and execute any error/unprocessed LUW once every 15 mins for 30 tries.
As suggested in one of the threads, i checked the ACL for the service
“wm.PartnerMgr.gateway.transport.ALE:InboundProcess”. It is set to SAPUsers.
I also added another user SAPUSERS in the IS and assigned it to the Administrator and SAPUsers group (The SAPUsers ACL is assigned to both these groups).
We have one SAP listener running with 16 threads. I have one doubt regarding this. When i go to the SAP listener settings tab on the IS admin screen, i see that the Threads column is split into 2 with 2 entries in it namely 0/4 and 16/16. (The column next to the Started? column which has the green light). WHAT DO THESE TWO ENTRIES MEAN? does it mean that all 16 threads are active? and what does this number 0/4 mean?

We send more than 1000 IDOCs out to the Adapter everyday. The size of these IDOCs are very small 5-6KB and these background jobs that get scheduled get completed within a second or two. But the problem is with the number of background jobs that get scheduled everyday.

Could you please help me out with this error message that i get in SM58? If it is with respect to authorization, the IDOCs should not pass through to Webmethods at all, but they are going through after some 3-4 attempts. What could be the reason for this? Please help me out.

I checked the threads that are on this forum for help and i was not able to solve the issue even after reading the same.

Hi,

I have seen two situation (on sap adapter 4.6) where a access denied error is thrown.

  1. If SAP sends IDOCS with a username which is also configured at webMethods side, the username is inherited from SAP, in this case you have to be careful to add those usernames to the SAPusers group so they are allowed to access the partner manager.

  2. After configuring the SAP adapter to write to a database, all outbound traffic is denied access. OK workaround is to add the SAPuser to the Administrators group. This is because for some, still not discovered reason, the partnermanager executes (under some circumstances) wm.PartnerMgr.xtn:get which has execute ACL only for Administrators

Regards

Dave Walschot
Accenture Technology Solutions

Just change the ACL on the wm.PartnerMgr.xtn:get to SAPUsers.

There is some discussion of this topic in the Security Best Practices document for the SAP Adapter. See Best Practices->Product Security Information

Hi Bradley,

Thanks for the tip, but wm.PartnerMgr.xtn:get has a WmPrivate Write ACL which prevents changes to it.