Web Service authorisation problem - urgent!!!

Hi all,

can anybody help me to resolve this issue?
I’ve created web service listener. I’ve created user, users group and ACL on IS and assigned this ACL to this flow(web service listener).

On development ad test server it works perfect.
But when I assign ACL on LIVE server different to Administrators ACL then authorisation doesn’t work!!! Every time I get ACCESS DENIED message

Do you have any idea where problem can be?

Thank you…

Sorry I forgot to write that I am using SAP BC 4.7.


By “web service listener” do you mean a custom soap processor or do you mean a Flow service that gets invoked when a soap message is sent to your server’s /soap/default or /soap/rpc URL’s?


Hi Mark,

I am using default soap processor…
Do I have to create custom SOAP processor and then assign ACL to this flow?



I have the impression that you’re trying to access your flow service through SOAP ?

Try to use browser and see if you can access the service/retrieve the wsdl.

If you have a problem where you get an IS login prompt, that probably is your problem. You can try by making your flow service that get invoked by SOAP as anonymous.



I am not if I understand you. When put link to the browser in format http://server:port/soap/default I can see this:

<?xml version="1.0" encoding="UTF-8" ?>

When customer sends me a message in SOAP envelope with username and password it works only for users under Administrators ACL.
Message is correctly processed and response is returned to customer.

I tried to assign to this flow(target flow on Developer with universal names) also Anonymous ACL but then customer gets ACCESS DENIED error message.
I get it too when I send message from my web service sender.

On test environment I can assign any ACL to my flow and it is working. there is no problem to authorise to this “flow”… I don’t understand why.

How can retrieve WSDL in browser?


No, the default soap processor will not require authentication to post a message to IS. The ACL of the service being invoked will control which users can invoke the service.

If you want to restrict the ability to post a soap message to IS or if the consumers of your services will be .Net clients, then you need to create an access-controled soap processor.

See Chapter 7 - Controlling Access To A SOAP Processor in the SOAP Develpoer’s Guide for more information on this topic.


KK, this would assume that he had create a WSDL and was hosting it in IS. In addition, the access to the static WSDL file would be controlled by a .access file and not (necessarily) by the same ACL as the service.

Unfortunately, IS does not provide a dynamic URL at which the WSDL for a service is made available. Yes, you can cobble together a long enough parameterized URL string to do this, but it’s beyond the ability (or at least patience) level of most developers.

Have I mentioned lately that the release schedule for updated IS web services capabilities is WAY TOO SLOW?


The error message means that you can’t invoke your web service using a browser.

Check the configuration of your ACL’s on your target box. The consumer must authenticate with IS using credentials (username and password) that are members of a group that is a member of the target ACL. If that user, group and ACL are not configured correctly you would get the access denied error.

Your service works as designed on Box A and Box B but not Box C. Therefore, something is different on Box C. Find it and you may find your issue.


Sorry but I still don’t understand how it is possible that when I assign to the target service Administrators ACL then customer is able to send message to our flow(web service listener) without any problems.
When I assign to this target flow other ACL(my own, example:Customer or Anonymous) customer is not able to authorise to this flow. He always gets ACCESS DENIED message.
Customer is using Apache-Axis and Java to send me SOAP envelope with username and password in header of the whole message.

Thanks .

How exactly are you passing the user id and password in the client call to your soap processor?
Could it be that you are having a challenge/response issue with your client in the production environment. If you read Chapter 8 of the webMethods SOAP Developers guide you will see that the default SOAP processors do not handle a challenge/response scenario unless you build an Access Controlled SOAP processor (not a difficult thing to do).