Protecting Access to Business Object
Operations
Use
You can protect access to business object CRUD (create, read, update, delete) operations. The query operations are also protected. When such operations are executed, the permissions for read are checked.
Procedure
...
Enabling Permission Checking on Business Object Node Level
1. In the Composite Application Explorer, open the business object node whose permissions you want to configure.
2. Open the Permissions tab page.
To enable permissions checking, enable the Permission checks enabled indicator.
This option indicates that the business object is secured and the permissions checking is performed for its CRUD (create, read, update, delete) methods. If the option is enabled, a code with permissions checks is added in every CRUD method.
In runtime, the permission checks are performed for the principal who is currently working with the application. You can assign permissions to principals using the Authorization Assignment.
You can assign service permissions to protect business object operations.
You must have the SAP_CAF_ADMIN role assigned.
3. Log on to the CAF runtime using the following URL: http://<host>:<port>/caf.
Replace <host> and <port> with the Application Server (AS) Java host and port.
4. Choose Administrative tools → Authorization Assignment.
5. From the Secured Business Objects pane, select the business object whose permissions you want to manage.
The Business Rules List (BRL), the Access Control List (ACL) and the Conditions List are reloaded with data about the selected business object.
6. You can add, remove or delete business rules.
More information: Managing Business Rules List.
7. For each selected business rule, you can manage its ACL and conditions.
More information:
¡ Managing Access Control List
Enabling Permission Checking on Business Object Instance Level
...
1. In the Composite Application Explorer, open the business object node whose permissions you want to configure.
2. Open the Permissions tab page.
3. Enable the Permission checks enabled indicator.
4. To enable custom permissions setting and checking for each business object instance, enable the Permission on instance level indicator.
This option provides an API with permissions for every instance of the business object that can be set. This can only be activated if you have enabled the Permission checks enabled indicator. The permission Owner is assigned by default to the current user. This permission allows the modification of the instance permissions. The API is generated as part of the business object service, and consists of the following methods:
void addPermission(IPrincipal principal, String permission, String user, String key) throws CAFBONodeException; void removePermission(IPrincipal principal, String permission, String user, String key) throws CAFBONodeException;
Map<IPrincipal, Set<String>> getPrincipalPermissions(IPrincipal principal, String permission, String user, String key) throws CAFBONodeException;
/* getPrincipalPermissions() returns a set of permissions per principal * If principal is null, the permissions for all principals is returned. * If permission is null, all permissions are returned. */
/* principal - an Application Server Java principal (user, role or group) to which permissions are assigned/removed ; you can use the security API to obtain a desired instance of a principal
key - the GUID of the business object instance (use the method getKey() to obtain it) for which permissions are given to the principal
user - unique id (see IPrincipal.getUniqueID()) of the user that performs the permissions manipulation; must have an "owner" permission
permission - can be one of the following: "create", "read", "update", "delete" , "fullcontrol" or "owner" */
|