Authorization controls in SAP Restful application programming Precheck, Instance and Global authorization

Authorization controls in SAP Restful application programming Precheck, Instance and Global authorization

Satya Prakash Tiwari Satya Prakash Tiwari

Satya Prakash Tiwari

Certified SAP ABAP on HANA /ABAP/Fiori consultant at Deloitte | Ex-IBM | Ex-Accenture | Ex-Wiproite

发布日期: 2024年5月23日
+ 关注





To define which consumers under which circumstances are allowed to read or change data of a business object, RAP offers an authorization concept for application developers to restrict access to the business object.


Note: We are implementing authorization control in already created RAP managed based application, please refer this link where we have design whole application.


Precheck

With a precheck implementation we can check against incoming values and deny incoming requests before data reaches the transactional buffer.



The precheck method is called during runtime before the assigned modify operation and removes all input from the modifying request for which the condition in the precheck is not fulfilled.



Depending on the use case, you can define a precheck for the operation in the BO-layer or in the projection layer.


Also, it is possible to define for both layers.


We are creating precheck on update operation. We can create precheck on create operation as well if key field information is provided by user.


We have only implemented Update precheck method




We need to define precheck_update and precheck_create methods (use quick fix option).


Note: We have only implemented precheck_update method to demonstrate.


likewise we can create update_precheck method


Precheck Methods are added in Implementation class.




Lets check signature of method.





Lets implement precheck_update method to prevent user to update Ship status field as D (Delivered). 




  METHOD precheck_update.
  Loop at entities ASSIGNING FIELD-SYMBOL(<fs_entities>).
    if <fs_entities>-ShipStatus = 'D'.

              "Return Error Message to Frontend.
              APPEND VALUE #(  %key =  <fs_entities>-%key
                               %update = if_abap_behv=>mk-on )
                                TO failed-zi_header_info.
              APPEND VALUE #(  %key =  <fs_entities>-%key
                               %msg = new_message_with_text(
                                  severity = if_abap_behv_message=>severity-error
                                  text = 'Order cannot be created with status "DELIVERED"'

                                )
                                %update = if_abap_behv=>mk-on
                                %element-ShipStatus = if_abap_behv=>mk-on
                                 ) TO reported-zi_header_info.
  endif.
  ENDLOOP.
  ENDMETHOD.


User cannot update ship status field as D.


Let's open application preview and try updating field ship status as D.


As of now, ship status is A.



We will change it to "D" and SAVE.


Let's try to save the changes.


Error message Displayed from precheck_update method.

Error message screen








Instance Authorization


Instance authorization is used for all authorization checks that, in addition to the user role, depend on the state of the entity instance in question.


With instance authorization, we can define authorization that depends on a field value of the instance.


To create instance-based authorization we start with mentioning instance-based authorization master in business definition.



Instance authorization master


Add quick fix (CTRL+1) to generate/add instance authorization method in behavior implementation class.



领英推荐

Instance authorization method in Implementation class


Check methods parameter for better understanding.




Keys - this hold selected data from UI

requested_authorizations - Type of operation performed by user (Update/Delete)

RESULT - hold authorization result( auth-unauthorized , auth-authorized )


To demonstrate instance based authorization ,we are simply restricting user to delete the records .

In real time case , we can restrict/allow user based on data selected from UI .


Lets implement instance authorization method . 



CLASS lhc_zi_header_info DEFINITION INHERITING FROM cl_abap_behavior_handler.
  PRIVATE SECTION.

    METHODS get_instance_authorizations FOR INSTANCE AUTHORIZATION
      IMPORTING keys REQUEST requested_authorizations FOR zi_header_info RESULT result.




ENDCLASS.

CLASS lhc_zi_header_info IMPLEMENTATION.

  METHOD get_instance_authorizations.
  Loop at keys ASSIGNING FIELD-SYMBOL(<fs_keys>).
  if requested_authorizations-%update = if_abap_behv=>mk-on.

  elseif requested_authorizations-%delete = if_abap_behv=>mk-on.

   APPEND value #( %tky = <fs_keys>-%tky
                  %delete = if_abap_behv=>auth-unauthorized ) to result.

  APPEND VALUE #( %tky = keys[ 1 ]-%tky
                                %msg = new_message_with_text(
                                    severity = if_abap_behv_message=>severity-error
                                    text = 'No Authorization to delete!!!'
                                )
                ) to reported-zi_header_info.



  elseif requested_authorizations-%action-Edit = if_abap_behv=>mk-on.

  endif.
  endloop.


Here we are checking if user is performing delete operation then we will notify user with unauthorized message.


Lets execute application preview and try to delete record.


user has performed delete operation


Unauthorized message displayed



Global Authorization


Implementation of Global authorization is same as implementation of instance authorization.


Global authorization can restrict user on Create, Update and Delete operations.


To create global authorization , we need to mark authorization master global in behavior definition and create global authorization method (use quick fix option) in behavior implementation class.





Use Quick fix option to create global authorization method in implementation class.



Global authorization method added in implementation class



check parameters of global authorization method.



Unlike instance authorization , we dont have keys (data selected by user) information in global authorization.


We only have requested_authorizations parameter that hold information of action (CREATE,UPDATE,DELETE) performed by user.


Hence we will be able to restrict user on over all action . If we need to check data and restrict the instance based authorization is useful.


Since we don't have any authorization object available to check user authorization , we are simply restricting user to create records for demonstrate purpose. 





 METHOD get_global_authorizations.

  if requested_authorizations-%create = if_abap_behv=>mk-on.

  result-%create = if_abap_behv=>auth-unauthorized.

  APPEND VALUE #(
                                %msg = new_message_with_text(
                                    severity = if_abap_behv_message=>severity-error
                                    text = 'No Authorization to create!!!'
                                )
                ) to reported-zi_header_info.


     endif.
     if  requested_authorizations-%update = if_abap_behv=>mk-on.


  endif.
  ENDMETHOD.



Lets execute application preview and try to create record.


Unauthorized message on Create Operation


These were some popular ways to secure our RAP based application from unauthorized access.


Always refer SAP documentation on technical updates.


Thanks for reading!!


Reference








Venkat Bellana

SAP S4HANA | SAP ABAP | RAP | FIORI Elements | CDS | OData | Workflow | WRICEF | SAP BTP | EWM Technical

5 天前

IF requested_authorizations-%create = if_abap_behv=>mk-on. If condition fails for Static Action button in Global Authorization method at least in my app...How its giving an error to you? It works for Update and Delete. Can you please explain if possible

回复

要查看或添加评论,请登录

Satya Prakash Tiwari的更多文章

社区洞察

其他会员也浏览了