Role and Authorization Concept 
The identification of development objects belonging to the ABAP Repository takes place in the back-end with the specification of the object type and the object name.
The ABAP Development Tools, however, represent a front-end client and it makes use of the HTTP-based REST architecture when communicating with the back-end. From the viewpoint of this architecture, ABAP development objects are addressed as resources and identified through URIs. A front-end request keeps a URI ready whenever a development object is accessed and it is passed first to a router in the back-end. The router, in turn, transfers the request to the responsible resource controller. The latter uses the incoming URI to ensure the identification of the matching development object in the ABAP Repository. The registration of resource controllers takes place with the help of BAdIs. The actual BAdI implementation is performed for a given URI on the basis of predefined filter values. A filter value contains the respective static URI path, which is used to gain access to the resource in the back end (that is, to the development object).
There is a potential possibility of backdoors being introduced in the application server during the registration of resource controllers. This could happen when specific BAdI enhancements that were implemented for handling random, even "malicious" URIs are registered in the system.
To provide protection against such backdoors, the proven SAP NetWeaver authorization concept is brought into operation. This allows for the assignment of authorizations to system users on the basis of predefined roles. The system administrator, therefore, assigns to the system users one or several roles that, in turn, are based-at a technical level-on authorization objects.
When you are assigning user authorizations for access to development objects, we strongly recommend using the standard roles (see Table below) and authorization default values that are provided for working with ABAP Development Tools. The standard roles are linked with the standard authorization object S_ADT_RES, which you can use to check a random incoming URI against a predefined URI list-that is, a white list. This authorization object, therefore, retains as an attribute the list of all allowed URIs. A "malicious" URI would then be discovered through the authorization check.
The table below shows the standard roles that should be assigned for users of the ABAP Development Tools:
| Role | Description |
|---|---|
| SAP_BC_DWB_ABAPDEVELOPER | ABAP developer |
| SAP_BC_DWB_DISPLAY | Display user |
| Authorization Object | Field | Description |
|---|---|---|
| S_ADT_RES | URI | Contains the white list of all allowed URI prefixes |