SADL provides a generic authorization provider that can be parameterized by the application in order to specify the required authority check parameters. This condition provider can be used if the application makes use of the ABAP authority check concept, but the used business entity does not specify the authorization metadata.
Context
The SADL infrastructure provides the generic authorization provider class CL_SADL_COND_PROV_AUTH_OBJECTS for handling ABAP authority checks. This provider must be initialized before passing control to the SADL engine for query execution.
In order to make use of this class, perform the following steps:
Procedure
- Get an instance of this class using the condition provider factory.
DATA(lo_provider) = cl_sadl_cond_prov_factory_pub=>create_for_authorization( ).
- Use the method add_authorization_for_object() for specifying the authorization objects to be checked.
lo_provider->add_authorization_for_object(
iv_authorization_object = 'S_EPM_BP'
it_activities = VALUE #( ( auth_field = 'ACTVT' value = '03' ) )
it_field_mapping = VALUE #( ( auth_field = 'EPM_BP_ID' view_field = 'MY_BP_ID' ) ) ).
The add_authorization_for_object() method takes as input exactly one authorization object, a list of activity-like fields and their values that denote read authorizations, and a list of mappings between fields of the authorization object and attributes of the business entity; in this example, mappings between authorization fields and columns of the database view.
- If you need to check more than one authorization object, you can call the method add_authorization_for_object() multiple times.
In this case, the resulting restrictions will be applied sequentially to the data selection (equivalent to an 'AND' between authorization objects). The result is that only the data that passes all authority checks will be returned.