Show TOC Start of Content Area

Procedure documentation Implementing Custom Permission Checks  Locate the document in its SAP Library structure

Use

When you implement custom permission checks you do not need to preset instance level permissions but you can compute the permissions on-the-fly. You do not need to switch off the CAF security, you only complement it but you may replace it entirely.

Prerequisites

Open the Permissions tab page and make sure that Permission checks enabled indicator is enabled.

Procedure

...

       1.      Remember the objectType of the business entity service you want to write additional security checks for.

You can get it from the OBJECT_NAME constant in the business entity generated instance class.

       2.      Implement a stateless session bean with a local interface which inherits from com.sap.caf.rt.custperm.ICAFCustomPermission

       3.      Open the the VisualAdmin and on the left panel, navigate to Server   Services  ConfigurationAdapter.

       4.      On the right panel navigate to apps sap.com caf~runtime~ear appcfg.

       5.      Switch to Edit mode and open the application.global.properties property sheet.

       6.      For the CAF_CUSTOM_AUTHORIZATION property, enter objectType = JNDIname , where objectType is the object type from 1, and JNDIname is the JNDI name of the bean from 2.

Note

You can add additional custom checking beans for other business entities by separating the entries with ;

To reset the property to its default value put a single ; in it.

Now CAF uses your implementation of CAFCustomPermission.checkAclPermission() to determine whether to grant access for a specific operation or not. You are not required to bypass the CAF security checks entirely, you can only complement them. You can achieve this by calling CAFPermission.checkAclPermissionIgnoreCustomPerm(). It returns whether CAF grants access if it is in charge. The parameters of checkAclPermissionIgnoreCustomPermissions() are a superset of the parameters of checkAclPermission():

¡        object - the instance of the business entity  

¡        principal - the principal who requests access

¡        permissionName - the type of access requested – read, delete, update or create.

¡        objectType - the object type of the business entity; using this you can implement custom checks for more than one business entity in a single bean.                                                                                    

¡        boRuleID - the ID of the business rule that you want to check; you should pass null if you want all business rules to be checked.

¡        mode - an OR-mask containing one or more of the following constants: CAFPermission; MODE_CHECK_FOR_INSTANCE - check instance level permissions

¡        CAFPermission.MODE_CHECK_FOR_BUSINESS_RULES - check business rules

¡        CAFPermission.MODE_CHECK_PROPAGATED_PERMISSIONS - check propagated permissions

¡        CAFPermission.MODE_CHECK_ALL - a shortcut for all of the above

 

 

End of Content Area