Authorization Report
Definition
A Web Dynpro-developed user interface component used to generate reports that show which authorizations a user has on certain object instances or types.
Use
You use the Authorization Report user interface component as a compliment to the user authorization concept in CAF. It is a tool that CAF administrators can use to verify user access rights and permission checks.
Structure
The Authorization Report pattern consists of two parts:
● Authorization Report Configurator
● Authorization Report UI
Authorization Report Configurator
You use the toolbar along the top of the layout to create a new configuration (New), to open a previously created one (Open), to save (Save, Save as) or delete (Delete) it, or to preview (Preview) and test your configuration in a separate window.
You can use the configuration attributes in the table below to create an authorization report for each type of business object. Those marked with an asterisk (*) are to be changed for certain types of business objects.
Configuration Attribute |
Example Value |
Description |
Business Object Service Module |
sap.com/caf.core/BusinessEntityService |
Service module name of entity service |
Query to Retrieve Business Object |
findByObjectID |
BusinessEntityService [findByObjectID] |
Object ID Parameter |
objectID |
[findByObjectID] object id input attribute name |
Object Type Parameter Name |
objectTypeID |
[findByObjectID] object type input attribute name |
Object Type Parameter Value* |
For example, sap.com/somtest1/Stud1 |
[findByObjectID] object type input attribute value |
Title Attribute Parameter Name |
titleAttribute |
[findByObjectID] business entity title property name - input attribute name |
Title Attribute Parameter Value* |
For example, name |
[findByObjectID] business entity title property name - input attribute value |
Object Attribute for Title |
title |
Attribute name of [BusinessEntity] aspect |
Business Object Relation Name for Permission |
permissions |
Relation for [BusinessEntity] aspect |
Business Object Relation Name for Business Rules |
businessRules |
Relation for [BusinessEntity] aspect |
Attribute for Rule Name |
ruleName |
Attribute name of [BusinessRule] aspect |
Business Rule Relation Name for Permission |
rulePermissions |
Relation for [BusinessRule] aspect |
Service Module for the Check Permission Query |
sap.com/caf.core/PermissionService |
Permission service module name |
Query for Check Per-mission |
checkPermission |
PermissionService [checkPermission] |
Object ID Parameter Name for Check Per-mission |
objectID |
[checkPermission] object id input attribute name |
Object Type Parameter Name for Check Per-mission |
objectType |
[checkPermission] object type input attribute name |
Principal ID Parameter for Check Permission |
principalID |
[checkPermission] principal id input attribute name |
Attribute for Permission Name |
permissionName |
Attribute name of [Permission] aspect |
Attribute for Principal Name |
principalName |
Attribute name of [Permission] aspect |
Attribute for Principal Type |
principalType |
Attribute name of [Permission] aspect |
Attribute for Principal Unique ID |
principalID |
Attribute name of [Permission] aspect |
Attribute for Principal Unique Name |
principalName |
Attribute name of [Permission] aspect |
Principal Component |
com.sap.caf.ui.ptn.userassignment.UserAssignment |
User assignment component name |
Principal Deployable Component |
sap.com/caf~UI~ptn~userassignment |
User assignment name for deployable object component |
Principal Configuration |
auth_browser |
Name of embedded user assignment component |
Before generating the report UI, you will be asked for information about the user in order to create a report. Provide this information by adding the following to the current URL:
app.parameter1=<object key>
Authorization Report UI
The information about access rights is represented in two tables. This information is static and loads only when you initialize the component and the instance identifier is passed as a parameter.
You can enter or browse a user, then generate the access rules. The information is grouped by roles with the possibility to view the rights for users belonging to a given role. Permissions for principals are also grouped by roles. You can export this information as a report to local file.
Integration
You use the User Assignment pattern to identify the principle deployment components and configuration parameters. You use the Object Selector pattern to select the user for which you have created an authorization report and have noted the users’ entity object key. You can also use the Authorization Tool to view authorization assignments, propagated permissions, and create an authorization report.