Introduction
Have you ever wanted to give users access to certain content depending on their roles ? This blog explores one such method of doing so. Though I'll be using SAP MII 12.0 throughout the example, this would be relevant to MII 11.5 as well with little or no changes. Point to note is that the User Management in MII 12.0 is handled by the User Management Engine(UME) of Netweaver.
Approaches
There are two approaches by which this can be acheived :
IRPT or MII Reports (refer to this SAP Help Link for MII 11.5 (http://help.sap.com/saphelp_xmii115/helpdata/en/Advanced_Topics/Report_Generation.htm) for more details. Though this is specific to 11.5, it applies to 12.0 as well.)
Concept
IRPT pages have access to the MII session variables and I'll be using the IllumLoginRoles session property which returns a comma separated list of all the roles assigned to the user for this purpose.
Example and Sample Code
For this example lets create a role *TEST_ACCESS in the Netweaver UME. We'll check the user for this role and will grant him access only if this role is assigned to him.</p><p>The javascript code that we will use for this is given below :</p><p>----
BEGIN OF CODE - Javascript
----
*
function checkAccess(){
var roleToCheck = "TEST_ACCESS";
var myAssignedRoles = myRoles.value;
if (myAssignedRoles.indexOf(roleToCheck) != -1){
document.write ("h3. Access Granted !
");
}else{
document.write ("h3. Access Denied !
");
}
}
<input id="myRoles" type="hidden" value="">
*----
END OF CODE
----
*
*----
BEGIN OF CODE - JSP
----
</p><pre><html><br/><head><br/><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"/><br/><title>Role Based Access</title><br/></head><br/><body><br/><%<br />String roleToAccess = "TEST_ACCESS";<br/>String myRoles = (String)session.getAttribute("IllumLoginRoles") ;<br/>if (myRoles.indexOf(roleToAccess) != -1 ){<br/>out.println("h3. Access Granted !
");<br/>}else{<br/>out.println("h3. Access Denied !
");<br/>}<br/>%><br/></body><br/></html> </pre><p>END OF CODE
-
</p><p>Note : If you read the comments below on this blog, you'll know that the Javascript approach is not secure. True. Therefore the advice from my side would be to use the JSP approach since all access validation should be done on the server side and not on the client side.*
Now lets's test this peice of code for someone who does not have the role assigned to them.
Let's now create this role in the UME by accessing it through http://:/useradmin.
0.1. Select the *Search Criteria *as Role.
0.2.
Click on Create Role. 0.1. Enter the role name as *TEST_ACCESS *and save.
0.1. Now to assign the role to the user :
0.2. select the *Search Criteria *as User.
0.3.
Enter the username and click on Go. 0.1.
Select the user and click on Modify.0.1. Go to the *Assigned Roles *tab.
0.2.
Enter the role name TEST_ACCESS in the *Available Roles *tab and click on Go.0.1. Select the role and click on *Add *to assign the role to the user.
0.2. Click on *Save *to save the assignment.
Run the same page again and Voila ! this is what you should see :
3 Comments
