Data-Aware Authorization Provider for Authority-Check
Data-aware authorization providers are able to perform different checks depending on the content of the data. For example, perform an authorization check only if a specified data field is not initial, or uses different authorization objects for different values in a database column.
Prerequisites
This feature is available since SAP NetWeaver 7.4 SP07.
Context
SADL provides a generic authorization provider that is data aware. This condition provider can be used if the application makes use of the ABAP authority check concept, but the used business entity does not specify the authorization metadata, and in addition the business requirements are such that the authorization check needs to adapt to the actual data content, as described previously.
This provider must be initialized before passing the control to the SADL engine for query execution.
In order to make use of this class, perform the following steps:
Procedure
Get an instance of the data-aware condition provider.
Use the method add_authorization_conditions() for specifying the authorization objects to be checked.
For each authorization object, you should provide the conditions under which the check is to be performed. You can provide the condition as a table of named ranges using the constraints parameter.
lo_provider->add_authorization_conditions( VALUE #(
( authorization_object = 'S_EPM_BP'
activities = VALUE #( ( auth_field = 'ACTVT' value = '03' ) )
field_mapping = VALUE #( ( auth_field = 'EPM_BP_ID' view_field = 'MY_EPM_BP_ID' ) ) )
constraints = VALUE #( ( name = 'BP_ROLE'
range = VALUE #( ( option = 'EQ'low = '01' ) ) ).
The add_authorization_conditions method takes as input a table of authorization objects with the respective activities, field mappings and constraints.
Leaving the constraints empty has the result that the check is always executed. In this case, the data-aware condition provider behaves exactly like the generic authorization provider.
Leaving the authorization object empty has the result that for the specified constraints no check is performed. In the following example, the authorization object S_EPM_BP is checked only of the database field BP_ROLE contains a non-initial value.
lo_provider->add_authorization_conditions( VALUE #(
( constraints = VALUE #( ( name = 'BP_ROLE' range = VALUE #( ( option = 'EQ' low = '' ) ) ) ) )
( authorization_object = 'S_EPM_BP'
constraints = VALUE #( ( name = 'BP_ROLE'
range = VALUE #( ( sign = 'E' option = 'EQ' low = '' ) ) ) ) ) ) ).
If you need to check more than one authorization object, you can call the method add_authorization_conditions multiple times.
In this case, the resulting restrictions will be applied sequentially to the data selection (equivalent to an 'AND' between authorization objects). The result is that only the data that passes all authority checks will be returned.
If you need to check multiple authorization objects alternatively, depending on different values of the constraint, you will need to place the authorization objects into the same call to the add_authorization_conditions method. This is equivalent to an OR between authorization objects, whereby each check will only be performed if the constraints allow it.
In the following example, the authorization object S_EPM_BP is checked for role ‘01’ (Customer), and the authorization object S_EPM_PO is checked for role ‘02’ (Supplier).
lo_provider->add_authorization_conditions( VALUE #(
( authorization_object = 'S_EPM_BP'
activities = VALUE #( ( auth_field = 'ACTVT' value = '03' ) )
constraints = VALUE #( ( name = 'MY_BP_ROLE'
range = VALUE #( ( option = 'EQ'low = '01' ) ) ) ) )
( authorization_object = 'S_EPM_PO'
activities = VALUE #( ( auth_field = 'ACTVT' value = '03' ) )
constraints = VALUE #( ( name = 'MY_BP_ROLE'
range = VALUE #( ( option = 'EQ' low = '02' ) ) ) ) )
) ).