Show TOC Start of Content Area

Background documentation Service Permission Types  Locate the document in its SAP Library structure

CAF supports the following permission types:

·        Service level permissions

·        Instance level permissions

·        Propagated permissions

·        Custom permissions

Service Level Permissions

You can define these permissions for an entity service and they are valid for all of its instances. You can group them into business rules. The logical operation OR is established among business rules.

Example

For example, if a certain principal in rule1 for attribute1  does not have permission to read an object, but has permission to read in rule2 for attribute2, the principal is permitted to read the object.

For each business rule you can define conditions (situations for which the business rule is available). The logical operation AND is established among conditions for different attributes and OR among conditions for the same attribute..

Example

For example, if condition1 is true, but condition2 is false, the business rule is not established, so the permission is not granted.

To assign service level permission to principals using the Authorization Assignment application, you must enable the option Permissions checks enabled for the entity service at design time.

More information:

¡         Permissions Tab Page

¡        Assigning Authorizations

Instance Level Permissions

You can define permissions on an instance level only for a single instance of a particular entity service. These permissions can be managed using an API.

To assign the instance level permission to principals, you must enable the optionPermissions at instance level at design time.

After you generate the application you automatically get three more methods in the service bean for this business entity:

 

void addPermission(com.sap.security.api.IPrincipal principal,

                   String permission,

                   String user,

                   String key)     

 

void removePermission(com.sap.security.api.IPrincipal principal,

                      String permission,

                      String user,

                      String key)     

                                                                        

Collection getPrincipalPermission(String permission,

                                  String user,

                                  String key)

                                                                                                              

/*

 

  principal – an Application Server Java principal (user, role or group) which will be assigned/removed permissions.

You can use the security API to obtain a desired instance of IPrincipal.                                                                                  

 

  key - the GUID of the business entity instance (use the method getKey() to obtain it) for which permissions are to be given to/taken from the aforementioned principal.     

                                                                                  

  user - unique id (see IPrincipal.getUniqueID()) of the user which performs the permissions manipulation. This user should have an “owner” permission for the entity instance. The user which creates an entity instance automatically gets an “owner” permission for it.

 

  permission - one of "create", "read", "update", "delete", "fullcontrol" and “owner”.

 

 

*/

More information:

...

¡        Permissions Tab Page

¡        Assigning Authorizations

Propagated Permissions

You can use propagated permissions to reduce the complexity and maintenance efforts of restricting the access rights for entity services. These permissions allow you to store access rights only for one single instance of the entities that belong to the relationship network and determine the permissions for the related entities automatically.

Propagation of permissions does not require additional assigning permissions to principals because the permissions assigned for a parent instance are propagated to its related instances.

Example

For example, if the entity Student has a unidirectional reference to entity Course and  permissions propagation over this reference is established, everyone who has permission to access a specific instance of entity Student will have the same permission for the associated instance of entity Course.

The permissions of the object Course do not depend on any characteristics of the object Course, but only on its relation with the object Student. The maintenance of permissions may be done only for object Student. During the permission check for object Course, the permissions for object Student are checked automatically.

More information: Managing Propagated Permissions

Custom Permissions

The main purpose of the custom permissions is to allow developers to implement checking of permissions and manage these checks with custom code without defining instance level permissions.

To implement the custom permissions check, use the following method:

Syntax

CAFPermission.checkAclPermissionIgnoreCustomPerm()

It performs the same permission checks as the CAFPermission.checkAclPermission()method except for custom checks. Custom checks are not performed to avoid recursive invocations.

More information: Implementing Custom Permission Checks

End of Content Area