ABAP RESTful Application Programming [28] – Authorization Control

In this post, you will learn about Authorization Control in ABAP RESTful Application Programming.

Authorization Control

Authorization control in RAP protects the RAP BO from unauthorized access to data. The authorization for consumers is managed and maintained by the system administrator but developers would sometime need to implement the controls.

Authorization checks for read operations are handled by CDS Entities and the checks for modify operations are handled in behavior definition.

Authorization Checks for Read Operations

• ABAP CDS provides its own authorization concept based on a data control language (DCL).
• Access control allows you to limit the results returned by a CDS entity to those results you authorize a user to see.
• DCL is also automatically evaluated in Managed Scenario, but has to be handled in case of unmanaged scenario

Authorization Checks for Modify Operations

• Authorization is defined in the behavior definition and implemented in the methods for authorization.
• Authorization methods are called during runtime at a specific point in time before the actual modify operation.

Global Authorization

Global authorization is used for all authorization checks that only depend on conditions which are not specific to entity instance. For example, checking whether user is authorized. Global Authorizations can be set for below operations.

• Create
• Create-by-association
• Update
• Delete
• Static Actions
• Instance Actions

Instance Authorization

Used for all authorization checks that depend on the state of the entity instance. For example, define authorization that depends on a field value of the instance. Instance Authorizations can be set for below operations.

• Create-by-association
• Update
• Delete
• Instance Actions

Authorization Check against Incoming Values (Precheck)

Authorization checks can be implemented in the corresponding precheck method for the operation to check against incoming values.

How to implement Authorizations in RAP BO?

Authorization Definition

Authorization is defined in the behavior definition of a RAP business object.

Entity Level

... authorization master {( global )
                         |( instance )
                         |( global, instance )}
  | authorization dependent by _Assoc ...

Authorization Master – An entity is defined as authorization master if the operations of this entity have their own authorization implementation. Only the root entity can be an authorization master.

Authorization Dependent – Authorization control from the authorization master entity is applied for the operations of this entity.

Operation Level

... authorization:none
... authorization:update

Authorization Exclusion – The addition authorization: none on an operation means that the operation is excluded from the authorization checks.

Authorization Delegation – The addition authorization: update on an operation specifies that the authorization check that is implemented for the update operation will be used for this operation as well.

Authorization can be delegated for the following operations:

• delete
• create-by-association
• actions

Unmanaged Global Authorization Checks

For code reference, let us look at the demo behavior definition DEMO_RAP_UNMANAGED_AUTH.

CDS Entity

Behavior Definition

Behavior Class

Code reference

  METHOD get_global_auth.
    DATA: update_granted TYPE abap_bool,
          delete_granted TYPE abap_bool.

    " global authorization for update requests
    IF requested_authorizations-%update EQ if_abap_behv=>mk-on.

      " full access granted
      update_granted = abap_true.

      IF update_granted = abap_true.
        result-%update = if_abap_behv=>auth-allowed.
      ELSE.
        result-%update = if_abap_behv=>auth-unauthorized.
        APPEND VALUE #( %msg      = new_message_with_text(
                        severity = if_abap_behv_message=>severity-error
                        text = 'operation not authorized!' ) )
                        TO reported-demo_rap_unmanaged_auth.
      ENDIF.
    ENDIF.

    " global authorization for delete requests
    IF requested_authorizations-%delete EQ if_abap_behv=>mk-on.

      " access for delete operations denied globally
      delete_granted = abap_false.

      IF delete_granted = abap_true.
        result-%delete = if_abap_behv=>auth-allowed.
      ELSE.
        result-%delete = if_abap_behv=>auth-unauthorized.
        APPEND VALUE #( %msg      = new_message_with_text(
                        severity = if_abap_behv_message=>severity-error
                        text = 'operation not authorized!' ) )
                        TO reported-demo_rap_unmanaged_auth.
      ENDIF.
    ENDIF.
  ENDMETHOD.

Unmanaged Instance and Global Authorization checks

Demo behavior definition DEMO_UNMANAGED_ROOT_DRAFT is a good example of using both the Global and Instance checks together. In this case the methods FOR INSTANCE AUTHORIZATION and FOR GLOBAL AUTHORIZATION are both implemented.

Reference: https://help.sap.com/docs/btp/sap-abap-restful-application-programming-model/authorization-control

Visit ABAP RESTful Application Programming Model to explore all articles on ABAP RAP Model.

---

If you like the content, please subscribe…