Show TOC Start of Content Area

Background documentation Service Permissions  Locate the document in its SAP Library structure

Purpose

You can check the permissions of the entity service life cycle methods (create, read, update, delete and findby). Each of these methods must be executed only by particular authorized principals (this can be an individual user or a user group, or a role). For more information about principals, see Principal Types.

Permission Types

There are various types of permissions:

     Service level permissions - permissions grouped in business rules

     Instance level permissions - permissions for object instance operations based on the ACL (Access Control List)

     Propagated permissions - permissions based on the relationships between the entities

     Custom permissions - permissions that can be implemented by developers, allowing them to perform the authorization check in their own way.

For more information, see Service Permission Types.

Process Flow

Authorization checks are done in the following steps: This graphic is explained in the accompanying text

...

       1.      To provide user-role based authorizations, the User Management Engine (UME) 4.0 is used.

The UME can be configured as a pluggable user store in the security service of the Web Application Server (WAS). It comes with its own JSP-based administrative tool where users and roles can be maintained. Authorizations in back-end systems are not taken into account.

For more information about UME, see User Management Engine.

       2.      Since only particular principals must execute only particular operations, there is ACL defining these authorizations for a given object instance. The ACL authorizations are checked by its application program interface (API).

For more information about ACL, see Access Control List

       3.      The main functionality necessary to check access rights for ACL, as well as to create, delete and modify permissions is provided by the CAF Permission API (com.sap.caf.rt.security.acl.impl.CAFPermission).

For more information, see Predefined Permission Access Rights.

       4.      Once authorized, the principals can access the persistent data and the metadata of the application. The runtime authorization services provide the whole functionality related with data operations.

       5.      The entity services are represented by the core services. The core services do not contain any functionality, but only redirect calls from and to the runtime services.

       6.      To reduce the number of invocations to the metadata model repository (MMR), UME and ACL, a CAF permission cache is used.

 

End of Content Area