| access control list (BC-DWB-TOO) |
Optional part of a package interface used to restrict access to the exposed repository objects of the package interface
The access control list specifies the client packages that have been explicitly granted access to the repository objects contained in the package interface. If a package interface does not contain an access control list, however, access is granted to all possible client packages.
By default, only the direct superpackage, parallel packages, and direct subpackages (if internal visibility is permitted) can be included in an access control list for a package interface of the server package. Note in particular that if a parallel package is entered in the access control list, access from the complete subtree of this package, that is, from all direct and indirect subpackages, is also included implicitly. This means that if the package hierarchy is restructured internally on the client side, the access control list of an interface cannot be invalidated (in contrast to the access control list with the old semantics).
In addition to this standard behavior - which we recommend for new developments - the access control list can also be converted back to the old semantics. In this case, the semantics of the access control list correspond to the package concept for earlier SAP Basis releases (prior to NetWeaver 7.10).
Behavior during propagation: The access control list affects direct visibility only. When a package interface that contains an access control list is propagated, visibility may have to be restricted again using an access control list for the propagating package interface.
Defining an access control list for a package interface: A package interface with the designation "Access control list" for which the access control list is empty can neither be propagated further to the superordinate package nor can it be used in a dependency control list of a client package.
In contrast to the new semantics of the access control list (as of NetWeaver Release 7.10), only the packages included explicitly in the list can access the exposed repository objects of the package interface.
Only packages for which the relevant package interface of the server is actually visible are generally taken into account -- for example, parallel packages from the same package hierarchy (sub)tree. For the parallel package to be granted use of the relevant package interface, it simply has to be entered in the access control list of the interface. If a client package originates from a different package hierarchy (sub)tree, both the package affected and all of its superpackages must be explicitly entered in the access control list of the server package interface (top-down declaration for use access).
This has significant consequences if the package hierarchy is restructured on the client side since such changes can easily invalidate the access control list of a server package. This legacy mode ensures the compatibility of access control lists that were created prior to SAP NetWeaver 7.10.