Finding the (usob)Hash of a Core Data /OData Service Required for the Authorization Object S_SERVICE (parameter SRV_NAME)

Question

To access an OData web service that exposes data from a Core Data Service (CDS) in SAP R/3, a user needs has to have an authorization role assigned that contains the authorization object S_SERVICE.

The authorization object S_SERVICE requires two parameters:

1. the service type (SRV_TYPE) which is set to HT = "TADIR Object" in my case
2. the service hash (SRV_NAME).

Using the debugger I found out, that the function module AUTHORITY_CHECK_TADIR_SERVICE compares the hash from the S_SERVICE authorization object with the hash stored in a record of table usobhash:

I also found out, that function module AUTH_TRACE_CALC_HASH uses the data from the columns PGMID, OBJECT and OBJ_NAME in table usobhash as input to generate the hash which is then stored in column NAME.

So far, whenever I wanted to grant a user/role permission to access a OData service I needed to know this hash. To get the hash, I either checked the usobhash table or manually executed AUTH_TRACE_CALC_HASH and then entered the hash when I assigned the authorization object to an authorization role in transaction pfcg. I guess there has to be an easier, more "official" way to do this. My approach feels like a dirty workaround but I was unable to find any documentation about how to do it right.

tl;dr How do I set the S_SERVICE authorization object without either debugging AUTH_TRACE_CALC_HASH or searching for the relevant entry in usobhash?

Answer 1

1. Create a role with the Service in it. Therefore please create a new or choose an existing role in the transaction PFCG → (+ pushbutton).

2. Choose the object type "Authorization Default".

3. Choose "TADIR Service"; Choose object type IWSV or IWSG.

4. Use the F4 help to select your service.

5. Save the role.

6. Assign the role to user.