In this post, you will learn about Authorization Control in ABAP RESTful Application Programming.
Authorization Control
Authorization control in RAP protects the RAP BO from unauthorized access to data. The authorization for consumers is managed and maintained by the system administrator but developers would sometime need to implement the controls.
Authorization checks for read operations are handled by CDS Entities and the checks for modify operations are handled in behavior definition.
Authorization Checks for Read Operations
- ABAP CDS provides its own authorization concept based on a data control language (DCL).
- Access control allows you to limit the results returned by a CDS entity to those results you authorize a user to see.
- DCL is also automatically evaluated in Managed Scenario, but has to be handled in case of unmanaged scenario
Authorization Checks for Modify Operations
- Authorization is defined in the behavior definition and implemented in the methods for authorization.
- Authorization methods are called during runtime at a specific point in time before the actual modify operation.
Global Authorization
Global authorization is used for all authorization checks that only depend on conditions which are not specific to entity instance. For example, checking whether user is authorized. Global Authorizations can be set for below operations.
- Create
- Create-by-association
- Update
- Delete
- Static Actions
- Instance Actions
Instance Authorization
Used for all authorization checks that depend on the state of the entity instance. For example, define authorization that depends on a field value of the instance. Instance Authorizations can be set for below operations.
- Create-by-association
- Update
- Delete
- Instance Actions
Authorization Check against Incoming Values (Precheck)
Authorization checks can be implemented in the corresponding precheck method for the operation to check against incoming values.
How to implement Authorizations in RAP BO?
Authorization Definition
Authorization is defined in the behavior definition of a RAP business object.
Entity Level
... authorization master {( global )
|( instance )
|( global, instance )}
| authorization dependent by _Assoc ...
Authorization Master – An entity is defined as authorization master if the operations of this entity have their own authorization implementation. Only the root entity can be an authorization master.
Authorization Dependent – Authorization control from the authorization master entity is applied for the operations of this entity.
Operation Level
... authorization:none
... authorization:update
Authorization Exclusion – The addition authorization: none on an operation means that the operation is excluded from the authorization checks.
Authorization Delegation – The addition authorization: update on an operation specifies that the authorization check that is implemented for the update operation will be used for this operation as well.
Authorization can be delegated for the following operations:
- delete
- create-by-association
- actions
Unmanaged Global Authorization Checks
For code reference, let us look at the demo behavior definition DEMO_RAP_UNMANAGED_AUTH.
CDS Entity
Behavior Definition
Behavior Class
Code reference
METHOD get_global_auth.
DATA: update_granted TYPE abap_bool,
delete_granted TYPE abap_bool.
" global authorization for update requests
IF requested_authorizations-%update EQ if_abap_behv=>mk-on.
" full access granted
update_granted = abap_true.
IF update_granted = abap_true.
result-%update = if_abap_behv=>auth-allowed.
ELSE.
result-%update = if_abap_behv=>auth-unauthorized.
APPEND VALUE #( %msg = new_message_with_text(
severity = if_abap_behv_message=>severity-error
text = 'operation not authorized!' ) )
TO reported-demo_rap_unmanaged_auth.
ENDIF.
ENDIF.
" global authorization for delete requests
IF requested_authorizations-%delete EQ if_abap_behv=>mk-on.
" access for delete operations denied globally
delete_granted = abap_false.
IF delete_granted = abap_true.
result-%delete = if_abap_behv=>auth-allowed.
ELSE.
result-%delete = if_abap_behv=>auth-unauthorized.
APPEND VALUE #( %msg = new_message_with_text(
severity = if_abap_behv_message=>severity-error
text = 'operation not authorized!' ) )
TO reported-demo_rap_unmanaged_auth.
ENDIF.
ENDIF.
ENDMETHOD.
Unmanaged Instance and Global Authorization checks
Demo behavior definition DEMO_UNMANAGED_ROOT_DRAFT
is a good example of using both the Global and Instance checks together. In this case the methods FOR INSTANCE AUTHORIZATION
and FOR GLOBAL AUTHORIZATION
are both implemented.
Reference: https://help.sap.com/docs/btp/sap-abap-restful-application-programming-model/authorization-control
Visit ABAP RESTful Application Programming Model to explore all articles on ABAP RAP Model.
If you like the content, please subscribe…