SOA Authorization for Web Services Built into Enterprise Applications

Companies need to implement SOA authorization to control use of the built-in Web services offered by enterprise applications. Otherwise, many application users may have unauthorized access to services, causing capacity as well as security problems

Increasingly, ERP, MRP, CRM and other enterprise applications, such as SAP, Microsoft, and Salesforce.com, come with built-in Web services. These services can benefit organizations that buy these packages, but they can also present distinct Web services management challenges, especially because enterprise application users find these Web services so attractive and easy to use.

Worst Practice: Ignoring the Need for SOA Authorization of Built-in Web Services

PC MicroCenters, a regional computer and electronics retail chain, upgraded its SAP software to include the new Web services offering. In the past, IT had strictly controlled SAP, assigning business users the access that IT deemed manageable and appropriate. Not surprisingly, IT took the same approach with the new Web services—authorizing defined sets of IT users and doing capacity planning based on that narrow group of people.

However, IT had failed to take a new reality of Web services into consideration. Unlike traditional application environments—which can prevent a user from accessing an entire application or selected capabilities based on that user's identity—the built-in SAP Web services were entirely visible and accessible to every business user on the company network who had an SAP login and password.

A number of analysts found some attractive Web services features, including the ability to do mass downloads of data to Excel (for reviewing weekly sales, shipping, commissions, and pricing information). In a number of cases, SAP crashed as a result of the unplanned load on the system—until, finally, IT located the analysts and ended their, albeit well-intentioned, access.

Best Practice: A Comprehensive SOA Management Solution—Including SOA Authorization

The big-name packaged applications embedded in corporate networks around the globe are now offering SOA built-in. This opens the door for rogue Web services. As shown, even registered services can be used by consumers who aren't properly vetted. Of course, this can cause security problems, exposing sensitive information such as Social Security or credit card numbers. It also can put an unexpected load on services.

Consequently, IT organizations have to be ready: with an SOA management solution, including SOA authorization and security policy enforcement capabilities that can immediately detect and stop rogue services.

Progress Actional SOA management products can provide automated SOA governance enforcement in the runtime environment, that can address all the SOA authorization requirements of the Web services, including those built into packaged applications. Actional:

• Provides robust SOA security, including authorization, authentication, identity management integration, encryption and digital signatures, and application security integration.
• Immediately detects activities of all services – both consumers and producers, whether or not they are registered and automatically shuts down the unauthorized or "rogue Web service" use
• Offers easy integration with numerous security, application management infrastructure, and service endpoint technologies
• Facilitates assessment of future service and SOA management needs with historical reporting of past service usage and integration of third-party tools for capacity planning

For More Information on SOA Authorization

To learn more about SOA authorization and requirements for planning and implementing SOA governance download "SOA Worst Practices Volume II: A Look at Governance."