Show TOC

Named Permissions and Action PermissionsLocate this document in the navigation structure

Use

When you develop a new application, you must decide what parts need to be protected an how you are going to protect them. SAP NetWeaver supports the standard methods offered by Java EE, but also offers enhanced methods enabling you to determine at a granular level how you want to protect your application.

SAP provides the following standard permission classes, upon which you can build your authorization concept:

  • Named permissions

  • Action permissions

Named Permissions

Named permissions function much as permissions in Java EE. In your application you check if the user has the permission named. If the name matches, then the user has permission to execute the protected function. With named permissions, only the name of the permission is significant. The value plays no role.

Recommendation

If you only intend to use named permissions in your application, we recommend that you use Java EE security roles to protect your application in stead of UME actions.

Action Permissions

Use action permissions to create permissions for a number of objects for which you perform similar actions. You can then control access by the type of object and the type of action.

Example

You want to create permissions for a car rental application. The application groups cars into various classifications: compact, economy, intermediate, full size, mini van, luxury, and premium. The actions you want to perform are create reservation, cancel reservation, and view reservation. You have two types of users: users that can work on standard reservations and users that can work on premium reservations. So you create an action, which grants the standard user permission to work on standard reservations. The permissions in this action have the following name, value pairings:

  • *, View

  • Economy, create

  • Economy, cancel

  • Compact, create

  • Compact, cancel

  • Intermediate, create

  • Intermediate, cancel

  • Full size, create

  • Full size, cancel

  • Mini van, create

  • Mini van, cancel

The premium action grants permission to work on premium and luxury car reservations. The permissions in this action have the following name, value pairings:

  • *, View

  • Premium, create

  • Premium, cancel

  • Luxury, create

  • Luxury, cancel

In your application, where you check for permissions for deleting folders you check for the name, value pairing Premium, create . The standard reservation action does not include this permission so it would be denied. The premium reservation action includes this value pairing, so users with this permission can create a premium reservation. Both actions have an asterisk ( * ) for the permission name, so users with either action can view any type of reservation.