5

How to implement User Access Restriction on a SAP Custom Business Object

 1 year ago
source link: https://blogs.sap.com/2022/10/17/how-to-implement-user-access-restriction-on-a-sap-custom-business-object/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
October 17, 2022 4 minute read

How to implement User Access Restriction on a SAP Custom Business Object

Background Context

Business objects developed by SAP in Business ByDesign can have controlled access based on the associated Access Control List (ACL) node data. ACL is a dependent object (DO) that can be related to the business object to provide controlled access.

Scenario

We have a Custom Business Object, and it has a field of Plant in it. The client’s requirement is to restrict users’ access based on Plant.

  • Considering our scenario now, since we don’t want a user to see the records of a Plant he is not a part of, it’s pretty clear that the restriction is on Plant.
  • The next step would be selecting the appropriate Access Context, now in the case of Plant, its DataType is OrganisationalCenterID/LocationID. So we will use the Access Context 1008-Site.
  • We have to search in RepositoryExplorer which BO supports this access context. In my example, I searched and found that LogisticsTaskFolder meets my needs.
Supported%20Access%20Contexts

Supported Access Contexts

1. SDK Solution Changes

Here is an example of a Custom Business Object with AccessControl to LogisticsTaskFolder

import AP.Common.GDT as apCommonGDT;

import AP.LogisticsExecution.Global;

[DeploymentUnit(ProductionAndSiteLogisticsExecution)] businessobject PlantAccessControl {

element       Plant       : OrganisationalCenterID;

element       Consistent  : ConsistencyStatusCode;

[RelevantForAccessControl] association For_Access_Control to LogisticsTaskFolder;

}

KeyPoints:

  • It is important to remember that we will have to change the DeploymentUnit of the BO to implement the For_Access_Control association.

  • [RelevantForAccessControl] is the annotation that is to be used to link association with standard objects to inherit the Access Context for your custom Business Object.

We need to create a BO Query for our custom object as there is something called ACL (Access Control List) data which will be carried only by the Fast Search Index (FSI) BO query.

BO%20Query

BO Query

Next, we will a code for filling our association. Create a BeforeSave script for your custom BO and fill in something to retrieve the Instance of that BO. This code is just a reference:

if (!this.For_Access_Control.IsSet())

{

var LogisticsTaskInst = LogisticTaskFolder.Retrieve(this.SiteID);

this.For_Access_Control = LogisticsTaskInst;

}

//This part is only for testing

if(this.For_Access_Control.IsSet()){

       this.Consistent = “3”; // Consistent

  }

  else{

       this.Consistent = “2”; // Inconsistent

  }

}

2. UI Designer Changes

Open the OWL screen of custom BO now, and in the case of SADL Query, you just need to select one selection checkbox of the For_Access_Control ID.

In the case of a standard Query, you need to perform some extra steps.

  • The Query section under the Controller tab should look like this
Query%20in%20Controller

Query in Controller

  • Binding under the DataModel tab should look like this
DataModel%20Binding

DataModel Binding

2.1 OWL/QA/OIF Changes

Open these screens one by one and select Floorplan, change Properties as shown below under RBAMData

Access%20Controlled%20Objects

Access Controlled Objects

  • Change the Access Check Mode to “PrivilegedExceptAccessControlBusinesssObjects”
  • Set Authorization Classification Code to “Application”
  • Select Access Controlled Business Object and make sure you see your object having Unrestricted Access unchecked.
  • Save and Activate

2.2 WCView Changes

Open the custom WC view and change the AccessContextCode under RBAMData to the one we need, for example in this case which is “1008 – Site” as shown below:

Access%20Context%20Code

Access Context Code

3. Assign Access Rights (SAP UI)

  • Activate the WorkCenter for the Business User and then go to the Access Restrictions tab.
  • Find the Work Center you created and in front of the Access Context change its Read and Write Access from Unrestricted to Restricted as shown below
Access%20Restrictions

Access Restrictions

  • Finally, assign which Site Access you want the user to have by selecting the Read and Write Access below like this, a user can have access to more than one Plants in this case:

Read%20and%20Write%20Access

Read and Write Access

You can test the work centers after this yourself and you’re done.

Here also some further resources that may help you:

SAP Business ByDesign environment Topic page (https://community.sap.com/topics/business-bydesign), post and answer questions (https://answers.sap.com/tags/01200615320800000691), and read other posts on the topic (https://blogs.sap.com/tags/01200615320800000691/)

In case of any queries or further detailed guidelines feel free to ask, and if you want to see similar content in the future make sure you follow me.

It would also mean a lot to me if you could share your thoughts regarding the blog in the comments or by messaging me. I will be happily consider your suggestions and take steps to make the blog even better in the future, thanks!


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK