Show TOC

Protecting Access to Business Object OperationsLocate this document in the navigation structure

Use

You can protect access to business object CRUD ( create, read, update, delete ) operations. The query operations are also protected. When such operations are executed, the permissions for read are checked.

Procedure

Enabling Permission Checking on Business Object Node Level

  1. In the Composite Application Explorer view, open the business object node whose permissions you want to configure.
  2. Open the Permissions tab page.

    To enable permission checking, mark the Permission checks enabled indicator.

    This option indicates that the business object has been secured and the system performs permission checking for its CRUD (create, read, update, delete) methods. If the option is enabled, a code with permissions checks is added in every CRUD method.

    At runtime, the system performs permission checks for the principal who is currently working with the application. You can assign permissions to principals using the SAP NetWeaver Administrator tool.

    You can assign service permissions to protect business object operations.

    Note

    To access the CAF authorizations, you must have the SAP _CAF_ADMIN role assigned.

  3. Log on to the SAP NetWeaver Administrator, using the following URL: http://<host>:<port>/nwa .

    Replace <host> and <port> with the Application Server (AS) Java host and port.

  4. Choose Configuration → Security →Identity Management →Composite Application FrameworkAuthorization Tool.
  5. From the Secured Business Objects pane, select the business object whose permissions you want to manage. You can add, remove, or delete business rules.

    For more information, see Managing Business Rules List .

  6. For each selected business rule, you can manage its ACL and conditions.

    For more information, see Managing Access Control List and Managing Conditions List .

Enabling Permission Checking on Business Object Instance Level

  1. In the Composite Application Explorer of the SAP NetWeaver Developer Studio, open the business object node whose permissions you want to configure.
  2. Open the Permissions tab page.
  3. Enable the Permission checks enabled indicator.
  4. To enable custom permissions setting and checking for each business object instance, enable the Permission on instance level indicator.

    This option provides an API with permissions for every instance of the business object that can be set. This can only be activated if you have enabled the Permission checks enabled indicator. The permission Owner is assigned by default to the current user. This permission allows the modification of the instance permissions. The API is generated as part of the business object service, and consists of the following methods:

     
    voidaddPermission(IPrincipal principal,
                       String permission,
                       String user,
                       String key)
                                    throwsCAFBONodeException;
    voidremovePermission(IPrincipal principal,
                          String permission,
                          String user,
                          String key)
                                    throwsCAFBONodeException;
     
    Map<IPrincipal, Set<String>>
    getPrincipalPermissions(IPrincipal principal,
                            String permission,
                            String user,
                            String key)
                                       throwsCAFBONodeException;
     
       /*  getPrincipalPermissions() returns a set of permissions per
           principal
         * If principal is null, the permissions for all principals are
           returned.
         * If permission is null, all permissions are returned.
       */
      
      
     
    /*
       principal - an Application Server Java principal (user, role or
       group) to which permissions are assigned/removed;  
       you can use the securityAPIto obtain a desired instance of a
       principal
      
       key - the GUID of the business object instance (use the method
       getKey() to obtain it) for which permissions are given to the
       principal                                                 
     
       user - unique id (see IPrincipal.getUniqueID()) of the user that 
       performs the permissions manipulation; must have an "owner"
       permission
     
       permission - can be one of the following: "create", "read",
       "update", "delete" , "fullcontrol" or "owner"
     */