RAP - Authorization

Syntax

... authorization master {( global ) 
                         |( instance ) 
                         |( global, instance )} 
  | authorization dependent by _Assoc ...

Description

Authorization control in RAP protects your business object against unauthorized access to data. Authorization control is defined in the entity behavior characteristics for each entity behavior definition separately and it must be implemented in the ABAP behavior pool. Different methods are available for implementing different types of authorization control.

RAP BO entities must be specified either as authorization master or authorization-dependent entities:

RAP authorization master entities have their own authorization implementation in the ABAP behavior pool in the corresponding method for authorization (global or instance). The implementation is used when requesting access to the authorization master entity or to any of its authorization-dependent entities.
RAP authorization dependent entities use the authorization control that is defined on the related authorization master entity. Authorization requests are delegated to the implementation of the authorization master entity. For update, delete, and create-by-association operations on an authorization-dependent entity, the authorization check for update of the authorization master entity is applied.

The following rules apply:

Each RAP BO entity must be declared as authorization master entity or as authorization dependent entity using the syntax authorization master (...) or authorization dependent by _Assoc.
The RAP BO root entity must be defined as authorization master entity. All other RAP BO entities can be either authorization master or authorization-dependent entities.
If the authorization master entity is not the parent entity of the authorization-dependent entity, then the association to the authorization master entity must be explicitly defined in the entity behavior definition using the syntax association _AssocToAuthMaster { }.
The authorization control that is defined for a RAP BO entity applies to all RAP BO operations of that particular entity. The following RAP BO operation additions can be used for to control authorization checks for individual RAP BO operations:

In the following cases, the authorization control must be implemented in separate methods for authorization in the behavior pool of the authorization-dependent entity:

actions of authorization dependent entities
create-enabled cross-BO associations
create-enabled associations which are not to-child associations

The following types of authorization control are available:

global

Limits access to data or the permission to perform certain operations for a complete RAP BO, independent of individual instances, for example, depending on user roles.
Can be specified for the following operations of an entity: create, create by association, update, delete, static actions, instance actions.
Must be implemented in the RAP handler method FOR GLOBAL AUTHORIZATION.

instance

Authorization check that is dependent on the state of an entity instance.
Can be specified for the following operations of an entity: create by association, update, delete, instance actions.
Must be implemented in the RAP handler method FOR INSTANCE AUTHORIZATION.

global, instance

Global and instance authorization control can be combined. In this case, instance-based operations are checked in the global and in the instance authority check. Both RAP handler methods, FOR GLOBAL AUTHORIZATION and FOR INSTANCE AUTHORIZATION, must be implemented. The checks are executed at different points in time during runtime.

Authorization checks can be implemented, for example, using authorization objects.

Availability

Managed RAP BO
In a managed RAP BO, if the root entity is specified as authorization master, the RAP framework checks each RAP BO operation for any access restrictions.
Unmanaged RAP BO
In an unmanaged RAP BO, and if global authorization control is specified, the RAP framework checks each RAP BO operation for any access restrictions.
Caution: If instance authorization control is specified, this is not the case. The RAP framework does not call the method for instance authorization in unmanaged non-draft scenarios. If authorization control is relevant, it must be implemented in the respective method for each modify operation. Only in UI scenarios, the instance authorization control method has an effect on the RAP consumer hints.
Draft-enabled RAP BO
In a draft-enabled RAP BO, the RAP framework checks for each standard operation on a draft instance whether there are any access restrictions. For the draft actions Resume and Edit, the authorization control for create is checked. For the draft actions Activate, Discard, and Prepare, the authorization methods are not called. To prevent a draft instance from activation, the authorization check has to be implemented in a validation.
Projection BO
In a projection business object, the authorization from the base business object is automatically inherited. If new actions or functions are defined in the projection layer, a new authorization control for these actions and functions can be defined. For further details, see topic RAP - authorization, Projection BDEF.
RAP BO interface
In a RAP BO interface, the authorization control from the base BO is automatically inherited.

Hints

The EML statement IN LOCAL MODE can be used to skip authorization control.
A RAP BO consumer can use the EML statement GET PERMISSIONS to check whether a RAP BO has authorization control implemented.
To limit read access to a business object, Data Control Language (DCL) can be used. These CDS access controls defined in Data Control Language (DCL) are passed on from the base layer to the RAP BO projection and the RAP BO interface. An executable example that demonstrates how read access control is implemented and evaluated can be found in topic RAP BDL - RAP BO with DCL Access Control.
Authorizations can also be checked in other ABP methods, for example, in validations.
In UI scenarios, authorization control is displayed as RAP consumer hint.
In BDEF extensions to managed and unmanaged RAP BOs, authorization control must be specified for each action separately. The reason for this is that the authorization control of extension actions should be independent of the authorization control of the original RAP BO to ensure stability even if the original BO is changed.
The following syntax short form is available to summarize lock dependent, ETag dependent, and authorization dependent:
([lock][, authorization][, etag]) dependent by _assoc
For details, see topic RAP - SyntaxShortForm.

Further Information

Development guide for the ABAP RESTful Application Programming Model, section Authorization Control.

Executable Example

The example above is explained in detail in the executable example RAP BDL - global authorization.

ABAP Keyword Documentation