ABAP for Cloud Development, ©Copyright 2024 SAP SE. All rights reserved.
ABAP - Keyword Documentation → ABAP - RAP Business Objects → RAP - Behavior Definitions → RAP - BDL for Behavior Definitions → RAP - Managed and Unmanaged Behavior Definitions → RAP - AuthorizationContext →
Mail FeedbackRAP - define authorization context
Syntax
define authorization context ContextName
[{for disable( modify
| read
| save:early
| save:late)}]
{
AuthObject1;
[
AuthObject2;]
[...]
}
1. ... for disable( Options ) ...
Description
A RAP behavior definition can define authorization contexts for disable using the statement define authorization context. Authorization contexts for disable list multiple authorization objects that are used for the ABAP statement AUTHORITY-CHECK OBJECT. When an authorization context for disable is activated, authority checks for all associated authorization objects are always successful; in other words, the respective authorization checks are skipped. This can be useful, for example, when a BDEF implements its own authorization check and then calls existing code, which again has its own authorization checks.
One RAP behavior definition can define one or more authorization contexts for disable. The contexts may be defined before, between, or after the entity behavior definitions. Each context can contain one or more authorization objects AuthObject1, AuthObject2, .... It is also possible to define an empty authorization context for disable. This can be useful when using BDEF privileged mode: to enable BDEF privileged mode, it is mandatory to specify at least one authorization context for disable. However, some RAP BOs use authority checks that do not rely on authorization objects. In this case, an empty authorization context for disable can be specified.
The optional addition for disable( Options ) activates the authorization context for disable in question for certain saver or handler methods. For details, see Addition 1 below.
Activating an Authorization Context for Disable
An authorization context for disable can be activated and the corresponding authorization objects skipped in the following ways:
- By using AUTHORITY-CHECK DISABLE BEGIN CONTEXT ... AUTHORITY-CHECK DISABLE END in the ABAP behavior pool for a handler or saver method.
- By registering a context for use in privileged mode using the syntax statement with privileged mode disabling ContextName.
- By registering a context for a category of saver or handler method using the optional addition for disable( Options ), as described under Addition 1 below.
Availability
The following list shows the availability of the statement define authorization context ContextName { ... }. If the optional addition for disable( Options ) is used, special rules apply. These rules are described under Addition 1 below.
An authorization context for disable, without the addition for disable( Options ), can be specified in the following BDEF implementation types:
- Managed RAP BO
- Unmanaged RAP BO
- Projection BDEF: A projection BDEF can define an authorization context for disable independently of the projected BDEF. This means that an authorization context for disable can be defined in the projection layer even if the projected entity does not have an authorization context for disable.
Dependency
If you define and activate an authorization context for disable which lists authorization objects (that means, it is not empty), you also need to specify a RAP full authorization context that lists all mentioned authorization objects, unless they are forbidden for use in full authorization contexts as per their classification. Otherwise, syntax check warnings occur. Further details are described in topic RAP - define own authorization context.
Hint
The optional registration of an authorization context for a dedicated purpose using the syntax for disable( ... ) does not generate an AUTHORITY-CHECK DISABLE BEGIN CONTEXT ... AUTHORITY-CHECK DISABLE END bracket within saver or handler methods that are introduced by BDEF extensions. The optional addition for disable has an effect only in the base BDEF implementation, but not in BDEF extensions.
Example
The following managed BDEF defines two authorization contexts for disable: ac1 and ac2 with the addition for disable. A full authorization context which lists all objects from ac_1 is also required.
Note: This example is intentionally kept short and simple and serves demonstration purposes only. The RAP handler method FOR GLOBAL AUTHORIZATION is not implemented here. In a real-life scenario, the authorization objects from the full authorization context would be implemented in this RAP handler method.
managed implementation in class bp_demo_rap_auth_context unique;
strict(2);
with privileged mode disabling ac_1;
define authorization context ac_1
{
'AUTHOBJ1' ;
'AUTHOBJ2' ;
'AUTHOBJ3' ;
}
define authorization context ac_2
for disable(modify, read) ##warn_OK
{
'AUTHOBJ4' ;
}
define own authorization context by privileged mode;
define behavior for DEMO_RAP_AUTH_CONTEXT alias Root
persistent table DEMO_DBTAB_ROOT
lock master
authorization master ( global )
{
create;
update;
delete;
association _child { create; }
field(readonly:update) KeyField;
mapping for demo_dbtab_root
{
KeyField = key_field;
DataField = data_field;
CharField = char_field;
CharField2 = char_field_2;
DecField = dec_field;
}
}
define behavior for DEMO_RAP_AUTH_CONTEXT_CHILD alias Child
persistent table DEMO_DBTAB_CHILD
lock dependent by _parent
authorization dependent by _parent
{
update;
delete;
field ( readonly ) KeyField;
field(readonly:update) KeyFieldChild;
association _parent;
mapping for demo_dbtab_child
{
KeyField = key_field;
KeyFieldChild = key_field_child;
DataField = data_field;
CharField = char_field;
}
}
Executable Example
The example Using the addition PRIVILEGED
with an ABAP EML Statement defines an authorization context and registers it for use in privileged
mode. It then demonstrates access to the RAP BO, first without the addition PRIVILEGED, afterwards with using PRIVILEGED.
... for disable( Options ) ...
Description
The optional addition for disable( Options ) activates the authorization context for disable in question for certain saver or handler methods. When a context is activated, then the corresponding methods automatically and implicitly skip the authorization objects listed in the associated authorization context.
Example:
-
define authorization context ReadContext
for disable (read)
...
in the BDEF has the effect that
-
METHOD read FOR READ [....]
...
ENDMETHOD.
in the ABAP behavior pool behaves as if the code was
-
METHOD read FOR READ [....].
AUTHORITY-CHECK DISABLE BEGIN CONTEXT demo_context~ReadContext.
...
AUTHORITY-CHECK DISABLE END.
ENDMETHOD.
The following options Options can be specified after for disable in brackets ( ... ):
- modify
- Available for managed and unmanaged RAP BOs.
- The RAP handler methods FOR MODIFY automatically skip the authorization objects listed in the associated authorization context ContextName.
- read
- Available for managed and unmanaged RAP BOs.
- The RAP handler methods FOR READ automatically skip the authorization objects listed in the associated authorization context ContextName.
- save:early
- Available only for the BDEF implementation type unmanaged.
- The RAP saver methods finalize and check_before_save of the early save phase automatically skip the authorization objects listed in the associated authorization context ContextName.
- save:late
- Available for managed and unmanaged RAP BOs.
- The RAP saver methods adjust_numbers, save, and save_modified of the late save phase automatically skip the authorization objects listed in the associated authorization context ContextName.
It is possible to specify one or more options Options within the brackets, divided a commas. Each option can only be assigned once within a RAP behavior definition.
Restrictions
While an authorization context for disable can be specified in BDEF extensions, the optional addition for disable( Options ) is not available in BDEF extensions. For details, see the topic RAP - extension.