You are on page 1of 10

TM Authorization framework

Author: Srinivas Rao

27-Aug-12

........................................4 Implementation Approach: ....................................................................................5 Structure of the table MT_AC_ADM..........................................................................................8 ..............4 Structure of authorization class for a specific BO: .......................Table of Contents: Authorization framework Overview .....8 DEMO Example:..........................................................................................................................................................................................................................................................................................................5 Adding custom authorization requirement for a BO ............................6 Additional Hooks .................................................................3 Authorization framework architecture: ..........................................................................................4 Structure of authorization super class:...........................................................................................................................................................................................7 Tips..3 Execution Of Authorization .........

BO and Node specific “no authorization” messages.Authorization framework Overview: The authorization framework delivered by SAP is an enhancement of the old concept of authorization along with:         Service Manager based Authorization Checks Service Manager Plug-In with PRE. Privilege Mode Mapping from Internal IDs from BO Nodes into External IDs of Authority Fields.and POST-BOPF Methods. Mass enabled Equivalency Groups. Explicit Authorization Checks. Authorization framework architecture: /bobf/ if_tra_service_manager « in te r fa c e » /BOBF/ IF_TRA_SERV_MGR_TRANSACT « in te r fa c e » /BOBF/ IF_TRA_SERV_MGR_COMPL « in te r fa c e » « in te r fa c e » /BOBF/ IF_TRA_PLUGIN_SERV_MGR « in te r fa c e » /BOBF/ IF_TRA_PLUGIN_SM_TRANS /B O B F /C L _ T R A _ S E R V IC E _ M G R O p e r a tio n s //IF _ T R A _ S E R V IC E _ M A N A G E R ~ C H E C K _ A C T IO N //IF _ T R A _ S E R V IC E _ M A N A G E R ~ C H E C K _ A N D _ D E T E R M IN E //IF _ T R A _ S E R V IC E _ M A N A G E R ~ C H E C K _ C O N S IS T E N C Y //IF _ T R A _ S E R V IC E _ M A N A G E R ~ C O N V E R T _ A L T E R N _ K E Y //IF _ T R A _ S E R V IC E _ M A N A G E R ~ D O _ A C T IO N //IF _ T R A _ S E R V IC E _ M A N A G E R ~ M O D IF Y //IF _ T R A _ S E R V IC E _ M A N A G E R ~ R E T R IE V E //IF _ T R A _ S E R V IC E _ M A N A G E R ~ R E T R IE V E _ B Y _ A S S O C IA T IO N //IF _ T R A _ S E R V IC E _ M A N A G E R ~ R E T R IE V E _ P R O P E R T Y //IF _ T R A _ S E R V IC E _ M A N A G E R ~ Q U E R Y //IF _ T R A _ S E R V _ M G R _ T R A N S A C T ~ D O _ S A V E /S C M T M S /C L _ A C _ P L U G IN « in te r fa c e » /S C M T M S /IF _ A C « in te r fa c e » /S C M T M S /IF _ A C _ B A D I O p e r a tio n s B E F O R E _ AU TH C H K_ B A D I A F TE R _ A U T H C H K _ BA D I F IL T E R _ D A T A _ B A D I « in te r fa c e » /S C M T M S /C L _ A C _ S U P E R A ttr ib u te s M T_ A U T H C H K _B U F F E R O p e r a tio n s + + + + + + + + + + + + + + + + + + + + # # # P O S T _ C H E C K _ A C T IO N P R E _ C H E C K _ A C T IO N P O S T _ C H E C K _ A N D _ D E T E R M IN E P R E _ C H E C K _ A N D _ D E T E R M IN E P O S T _ C H E C K _ C O N S IS T E N C Y P R E _ C H E C K _ C O N S IS T E N C Y P O S T _C O N V ER T_ A LT E R N _K E Y P O S T _ D O _ A C T IO N P R E _ D O _ A C T IO N P O S T _ M O D IF Y P R E _ M O D IF Y P O S T _ R E T R IE V E P R E _ R E T R IE V E P O S T _ R E T R IE V E _ B Y _ A S S O C IA T IO N P R E _ R E T R IE V E _ B Y _ A S S O C IA T IO N P O S T _ R E T R IE V E _ P R O P E R T Y P R E _ R E T R IE V E _ P R O P E R T Y P O S T _Q U E R Y PRE_QUERY P O S T _C H EC K_ B E F O R E _S A V E C O N ST R U C T O R C H E C K _ A U T H O R IT Y _ S IN G L E C H E C K _ A U T H O R IT Y /S C M T M S /IF _ A C _ D A T A _ B A D I O p e r a tio n s G E T _ D A TA _ B AD I /S C M T M S /C L _ A C _ F A C T O R Y O p e r a tio n s G E T _ A C _ IN S T A N C E /S C M T M S /C X _ A U T H O R IT Y A ttr ib u te s M V_ U S E R M V _ S T A T IC M V _ T R IG G E R M V_ S R V M G R _M ET H M V_ B O _ K EY M V_ N O D E_ K EY M V_ K E Y /S C M T M S /C L _ A C _ < B O > .

the super class methods are implemented for each and every service manager method with appropriate trigger points. . This is discussed in detail below. Implementation Approach: Structure of authorization super class: Super class  /SCMTMS/CL_AC_SUPER To have AUTHORITY-CHECK object call for all the service manager method execution. Instance based Field 10 ACTVT Business Object ROOT NODE Field1 Field2 … Field 10 As of now. POST methods are left blank. we can have fields only from the ROOT node of the business object as part of the authority check fields.. The constructor of super class implements a BADI call. all the framework implementation is done in the PRE methods. This BADI is a hook provided by SAP for tweaking authority check as per the requirement. In the standard. .. Each service manager method is implemented for PRE and POST method.Execution Of Authorization: Authorization Object Instance based Field 1 Instance based Field 2 Instance based Field 3 .

the class is /SCMTMS/CL_AC_SCH. .Structure of authorization class for a specific BO: The authorization class for any BO inherits the super class by default. Eg: for the BO /SCMTMS/FO_SCHEDULE. Constructor snapshot: The internal table MT_AC_ADM is the key table which holds all the authorization related data. the current standard authorization framework provides authority check with fields of root node ONLY. Adding custom authorization requirement for a BO: Step1: As discussed above. create an implicit enhancement of the constructor and populate the MT_AC_ADM table as per the requirement. Table: /SCMTMS/I_OBM_BO holds the authorization class for any specific BO. To add custom authorization. Constructor of each specific class is defined to load all possible authorization checks to be performed during the run of the UI for that specific BO.

the authorization requirement has to be defined in the authorization class for that BO. Step2: After making sure about the authority check fields. Ac triggered via method external_check_authority Ac equivalency group id -> is at least one ac of a group successful ==> whole group is successful Just one positive result for this ac object leads to overall success of this check Whether the authority check is instance based or static check Whether the authority check should be triggered on save or not? EQUI_GRP_ID ONE_HIT STATIC ON_SAVE MSGID MSGTY MSGNO MSGV1 MSGV2 MSGV3 MSGV4 Message information which would be displayed on failure of the authority check . Identify the class name from the table /SCMTMS/I_OBM_BO. Step4: Adding authority check requirement parameters: The internal table MT_AC_ADM is the key table which is to be filled with our custom requirement.Before starting off. Structure of the table MT_AC_ADM: AC_ID AC_OBJ SRVMGR_METH NODE_KEY FLT_NODE_KEY FLT_NODE_ATT R FLT_ATTR_VAL ACT_KEY AC_TRIGGER EXTERNAL Counter for the authority check Authority check object Service manager method name Node key for srvmeth retrieve / rba Node key for filter attribute and value (can be left initial if similar to no de_key) Filter attribute for ac Filter attr. Value for ac Action key for srvmeth do_action Trigger points. The possible values are defined in the super class. Step3: Create implicit enhancement of the constructor method for that specific class. kindly evaluate if the authority check fields are a part of ROOT node or not.

Provides possibilities to…  replace the authorization check  do a pre-processing before the standard authorization check  do a post-processing after the standard authorization check  filter the data after the authorization checks and the data filtering was done BADI 2: /SCMTMS/AC_DATA_BADI Provides possibilities to…  replace the data retrieval for the authorization check  filter the data being used for the standard authorization check.AC_REQ_TAB Combination of the fields used for authority check requirements. Discussed in detail in the below table. leave it blank. To be picked from the constants interface Field name which is the part of authority check Action parameter if authorization check is on a action Pass value to this field if you want to use static authority check. BADI 1: /SCMTMS/AC_BADI This BADI is called before and after every authority check object. Additional hooks provided by SAP in authorization framework: There are 2 BADI calls during execution of every service manager method. Else. AC_REQ_TAB: AC_FIELD XBO_NODE_KEY BO_NODE_KEY BO_ATTR ACT_PARAM QRES_ATTR QRES_NO_ATTR ALPHA_CONVERT AC_VALUE Additional Hooks: Authority check field from the root node Xbo node reference Bo node key. .

The BADI call is implemented in the super class. these BADI are called for each authorization subclass (for all the BO’s). This type of determination can be used to fulfill some of your authority check requirements. SUBRC = 0  Check Passed. then this can be handled in the method: BUILD_MAPPING_TABLES. Fill this new field in the root node using a determination on create. When we create a determination in the BOPF. The interface of this method is such that. The interface of the BADI is given such that we can implement the BADI method for a specific BO (using node key. it provides the AC runtime table and BO data table at the same time. 02 and 03. In case there is a requirement to add multiple record in the internal table MT_AC_ADM at runtime. there is a determination category of type = AUTHORTIY CHECK. BO key. Kindly read F1 to understand more on this category. then we can enhance the ROOT node structure using the INCLUDE extension. etc). 3. 2. DEMO Example: Requirement: To control the access of users for schedules based on schedule type for all the activities 01. We can modify the result of the authority check by just passing the SUBRC value. Solution: Step 1: Identify the business object. If you want to have a authority check on the field which not a part of the ROOT NODE. 4. Answer: It is /SCMTMS/FO_SCHEDULE . SUBRC =12  Check failed.Tips: 1.

03.Step 2: Identify the authorization class. We will get the authorization class (/SCMTMS/CL_AC_SCH). Put the BO name. Answer: Go to the table /SCMTMS/I_OBM_BO. Possible values are 01. 02. Step 3: All the authorization requirements are maintained in the constructor of this class. Populate the internal table MT_AC_ADM. BOPF field name . Create an implicit enhancement in the constructor. Field name in the AUTHORITY object.

Counter Authority object name Message that needs to displayed when check authority fails What is the relevant service manager method? When should the authority check happen? .