Show TOC

Background documentationApproaches to Protecting Applications Locate this document in the navigation structure

 

What you want to protect in your application determines your approach. The approaches are as follows:

  • Protecting access

  • Protecting actions

  • Protecting instances

Recommendation Recommendation

The approaches are presented here in order of ease of implementation. We recommend that you choose the easiest approach you can, which still meets your security requirements.

End of the recommendation.
Protecting Access

SAP NetWeaver supports the use of start permissions to protect access to applications. Use this approach to protect Java EE servlets with security constraints.

Example Example

You have an application that processes sales orders. Access protection means that users must have the required permission to start or access the application.

End of the example.

More information: Getting Started.

Protecting Actions

With this approach you protect specific actions within an application.

Example Example

You have an application that processes sales orders. Protecting actions means that users must have the required permission to approve a sales invoice with the application.

End of the example.

More information: Declarative and Programmatic Authorization.

Protecting Instances

Use access control lists (ACL)s to protect instances of particular objects. Working with ACLs requires a high-level programming knowledge and competence. ACL protections are time and cost intensive to maintain. SAP NetWeaver does not provide a user interface for managing ACLs. You must build your own. The UME provides an API for the management of ACLs.

For noninstance-based checks, use action-based protections instead.

Example Example

You have an application that processes sales orders. Protecting instances means that users must have the required permission to approve a particular sales invoice with the application.

End of the example.

ACLs are two-dimensional tables with actions on one axis and users on the other. This table is then attached to a particular instance of an object type. Whenever a user accesses that instance of the object, the system checks the table to determine if that user may perform the requested action.

More information:

SAP Help Portal: http://help.sap.com/javadocs