Scenario-based authorization checks enable you, as a developer, to enhance delivered
software with alternative authorization checks for authorization objects in different use
cases.
Prerequisites
You have a user with the required authorizations.
Context
Adding scenarios enables you to enhance your application without completely
disrupting your current processes, giving you time to plan for a redesign.
Some reasons why you must build such a scenario in your application include the
following:
-
When you created your application, you did not cover all possible
cases.
-
New legal requirements force you to update your application.
-
New technical advances provide the means to bypass by your existing
security concept.
Recommendation
We continue to recommend the direct usage of
AUTHORITY-CHECK.
Procedure
- In your application, perform your authorization checks with the method
AUTH_CHECK_SPEC of the class
CL_SACF. In the method call, define
the scenario names and the authorization objects and values to check for each
scenario.
For an example of an implementation of
CL_SACF=>AUTH_CHECK_SPEC, see report
SACF_TEST_CASE.
- Create scenario definitions corresponding to your method calls.
Scenario definitions are workbench objects you transport with your application. System
administrators can decide how to react to the authorization checks in their
systems and transport the productive scenarios through the landscape.
- Add authorization objects to your scenario definition.
How you add authorization objects to your scenario definition depends on if
you plan on delivering an active or inactive scenario definition.
Scenario Definition Status
|
Description
|
Inactive (<Status>
P)
|
Inactive scenarios are disabled until a system administrator
creates a productive scenario from the definition. This status
gives the administrator maximum flexibility to incorporate your
changes in a non-disruptive manner.
You can create your own productive scenario from your definition,
run the scenario in test mode, and import the required
authorization objects back into the scenario definition.
|
Active (<Status>
D)
|
Active scenarios are live as soon as they are imported into the
system. This status ensures that the authorization checks chosen
by the developer always apply.
Add the authorization objects to the scenario definition
manually.
|
- Transport your finished development objects.