Configure the subscribers to subscribe specific events only - for SAP Systems
How Solace can be configure to ensure that published events are delivered only to explicitly defined subscribers, preventing unauthorized or unintended parties from receiving the messages?
From the above image I do have SAP Publisher and SAP subscribers. As per my understanding tis can be achieved using
- Add topic subscriptions in Queue
- Define proper topic topology to distinguish the topics
- Create an inbound Binding at SAP system with specific topic subscriptions to subscribe the specific events
I would like to check from SAP side when we configure Inbound binding do we have choice to add topic subscriptions, more than one? Please feel free to correct me and help me with more information.
Answers
-
Hello Swapnil,
Based on my reading of your post you have 2 questions regarding Advanced Event Mesh.
First: Can you control who has access to data flowing across the Advanced Event Mesh broker?
1) Control who can access a queue. This is set inside a queue. You can specify a queue owner. The owner will be a client username that is provisioned on the broker. Then you can manage the access of non-owner users to the queue. If you set to no-access then only clients connected as the owner client username will be able to bind to and consume messages from the queue.
2) Control access to topics. This is managed with ACL Profile. ACL Profile controls a client usernames ability to publish and subscribe to topics. These controls are constructed with allow exceptions (things a client username explicitly cannot access) or disallow exceptions (things that client usernames explicitly can access). You will use the AEM topic hierarchy with wildcards to specify these exceptions. You can read further here:
Second: Can the SAP sm59 destination know if it can publish to a topic? *I am assuming based on other posts you have made that you are using SAP S4/Hana native eventing functionality.
Basically no the sm59 destination cannot know. It will receive an error if it tries to publish to a topic that an ACL rule prevents access to. However you(or your AEM admins) will be in control of the ACL Profiles so I recommend that you configure an ACL Profile for the client username supplied to your sm59 destination that supports publishing of all messages you may wish to expose from S4.-Jamieson
0 -
@JamiesonWalker Thanks for your reply. Unfortunately I am not looking for information you provided. Let me ask in this way.
I wanted to gain a better understanding of the inbound binding configuration on the SAP side. In following screenshot, where I noticed multiple topic subscriptions added for the channel. Does this mean that, to receive events from SAP AEM on the SAP side through the channel, we can subscribe to multiple topic subscriptions?
Actually I would like to see how I can implement the below use case where SAP Subscriber can receive only subscribed topics events. If SAP Inbound binding supports multiple topic subscriptions with 1 channel then in my opinion it will satisfy my implementation
Feel free to correct/suggest
0 -
Hi @swapnil_mahajan ,
Not an expert on this topic, but I found this in the SAP documentation, which might help answer your question:
https://help.sap.com/docs/abap-cloud/abap-development-tools-user-guide/creating-event-consumption-model?version=sap_btp
Hope this helps!
Christian0 -
Hi @swapnil_mahajan ,
Looking at this in a bit more detail today, I was wondering what channel you are referring to?
Do you mean AMQP channels or the channels in the AsyncAPI definition?Also, can you elaborate a bit more on your usecase?
A subscriber should only ever receive the messages for the topics that it is subscribed to. Why would you think otherwise?
Who are your different subscribers in your diagram?Isn't this all the same S/4HANA system?
0
