Managing Propagated Permissions

Use

You use propagated permissions to maintain authorizations of related business objects.

For more information, see Composite Application Service Permissions.

Prerequisites

You have defined the required associations between business objects.

More information: Defining Business Object Associations

Procedure

Enabling Propagated Permissions

...

       1.      In the Composite Application Explorer view of the SAP NetWeaver Developer Studio, open the business object, for which you want to maintain propagated permissions, and go to the Associations tab page.

       2.      Select the relevant association and set the PropagatePermissions property to true in the Properties view.

In the Permissions tab page you can now see the association in the propagated permission list. Optionally, you can disable the propagation here. This sets the PropagatePermission property back to false.

Selecting a Business Object Instance

       3.      Log on to the CAF runtime configurator using the following URL:

http://<host>:<port>/caf

       4.      Choose Administrative tools → Authorization Tool.

       5.      Choose the Propagated Permissions  tab page.

       6.      From the left pane (Inheritance of Permissions by Objects), select the business object whose permissions you want to check or manage.

You can see as subnodes the objects for which there are inherited permissions in the selected business object.

       7.      In the right pane, enter data in some of the attribute fields.

For example, if you want to see all instances created by the user Administrator, enter Administrator in the createdBy field.

       8.      Choose Find.

A list of the found entries is displayed.

       9.      Select an entry from the list.

Getting a Permissions Report

...

       1.      Follow the instructions above to select an instance entry.

       2.      Choose Show Permissions Report…

       3.      A report including the authorizations for the business object instance is displayed.

For more information, see Getting a Principal Authorization Report.

Changing Access Rights

...

       1.      Follow the instructions above to select an instance entry.

       2.      Choose Change Access Rights…

       3.      You can modify the permissions by using an Access Control List (ACL).

For more information, see Managing Access Control List.

Spreading of Propagated Permissions

You can see how the permission checks call stack happens in runtime.

...

       1.      Follow the instructions above to select an instance entry.

       2.      From the Permission Name dropdown list, select a permission.

For more information, see Composite Application Service Permissions.

       3.      Choose Spreading of Propagated Permissions tab page.

       4.      From the dropdown list, select one of the options below and choose Show to design how the result table is displayed:

○       Show all - retrieves all instances related to the selected one

○       Show path - retrieves related instances until the first permitted instance

You can invoke principal report or change access rights for each selected instance.

Getting Information About Available Permissions

For each principal, you can get permission information for all instances.

...

       1.      Select a principal.

For more information, see Managing Access Control List

       2.      From the Permission Name dropdown list, select a permission.

       3.      Choose Available Permissions tab page.

       4.      From the dropdown list, select one of the options below and choose Show to design how the result table is displayed.:

○       Show hierarchy – retrieves information structured hierarchically, so the real structure of related instances is shown as well as the available permissions for each instance.

○       Group by BE – retrieves information grouped by business entities, so you can see the information grouped by object type and instance.

Getting Information About Potential Problems

You can get information about potential problems.

Potential problems can be one of the following:

●      Recursive references – if there is a cycle in the references between instances, an endless recursion may appear.

●      Missed references – if there are instances for which the propagated permissions are kept on the data layer, but there are no existing relations between them.

●      Redundant references – if there are instances for which relations are kept on the data layer, but there is no information for propagated permissions between them.

●      Not existent objects – if there is information about propagated permissions, but the object does not exist anymore.

To display information about potential problems:

...

       1.      Choose Found Potential Problems tab page.

       2.      Choose Show.

       3.      Confirm the dialog and wait until the information is shown.

Example

For the newly created business object Bicycle, you want to create the following authorization rule:

User	Permission	Condition
Demo	Create	Only if wheel size of bicycle is between 24 and 28 inches.

...

To do this you would:

       1.      Create the business object Bicycle with the following attributes:

○       manufacturer (type is shortText)

○       wheel_size (type is integer)

       2.      In the Permissions tab page, activate all permission type indicators.

       3.      Create a business rule (Access Control List) for the user with the authorization tool of the CAF Runtime Configurator.

       4.      Add conditions to that rule with the following parameters:

Attribute	Low Value	High Value	Operator
wheel_size	24	28	between