Show TOC

Performing Authorization Checks Based on ScenariosLocate this document in the navigation structure

Scenario-based authorization checks enable you, as a developer, to enhance delivered software with alternative authorization checks for authorization objects in different use cases.

Prerequisites

You have a user with the required authorizations.

Context

Adding scenarios enables you to enhance your application without completely disrupting your current processes, giving you time to plan for a redesign.

Some reasons why you must build such a scenario in your application include the following:

  • When you created your application, you did not cover all possible cases.

  • New legal requirements force you to update your application.

  • New technical advances provide the means to bypass by your existing security concept.

Recommendation

We continue to recommend the direct usage of AUTHORITY-CHECK.

Procedure

  1. In your application, perform your authorization checks with the method AUTH_CHECK_SPEC of the class CL_SACF. In the method call, define the scenario names and the authorization objects and values to check for each scenario.

    For an example of an implementation of CL_SACF=>AUTH_CHECK_SPEC, see report SACF_TEST_CASE.

  2. Create scenario definitions corresponding to your method calls.

    Scenario definitions are workbench objects you transport with your application. System administrators can decide how to react to the authorization checks in their systems and transport the productive scenarios through the landscape.

  3. Add authorization objects to your scenario definition.

    How you add authorization objects to your scenario definition depends on if you plan on delivering an active or inactive scenario definition.

    Scenario Definition Status

    Description

    Inactive (<Status> P)

    Inactive scenarios are disabled until a system administrator creates a productive scenario from the definition. This status gives the administrator maximum flexibility to incorporate your changes in a non-disruptive manner.

    You can create your own productive scenario from your definition, run the scenario in test mode, and import the required authorization objects back into the scenario definition.

    Active (<Status> D)

    Active scenarios are live as soon as they are imported into the system. This status ensures that the authorization checks chosen by the developer always apply.

    Add the authorization objects to the scenario definition manually.

  4. Transport your finished development objects.