Authorizations in BOPF (Business Object Processing Framework)
Did you ever ask yourself why you can see data in transaction A but not in Report X? Or did you ever search desperately for authorization checks to configure the user roles? The SAP authority concept is very powerful but has one disadvantage: what is checked is buried in the code. It depends on the developers to keep the checks consistent all over the place and to document them. The PFCG traces are the most reliable information you have currently.
With BOPF this is different: in SAP Business Suite EHP7 authorization checks are integrated into the BOPF design time and executed by the framework. Just assign an authority object to the node of a business object, map the fields and the checks are performed automatically in all authorization relevant BOPF services. This solves our problems: the checks are documented and visible in the BO model and the checks are executed consistently – no surprises any more.
Let’s talk about performance
Checking authorizations is quite expensive, especially if you have to deal with mass data. In critical cases you may have put much energy for optimizing the code to avoid inacceptable performance results. So it is a challenge for us to be as fast as the manually optimized implementations are.
In the BOPF runtime we implemented several optimization strategies: the canonical one reduces the calls in buffering the results. In addition we implemented an equivalence group design, meaning that we execute the check for instances which are identical with respect to the check relevant attributes only once. And last but not least the standard implementation uses the priviledged mode. This means, that authorizations are only checked once at the beginning of a request. The user is then authorized to access the data necessary to fulfill the request – even if data from different nodes or business objects is requested – without further checks.
We monitor the performance constantly to find optimization potential and to avoid regressions. So I dare say that the BOPF solution is more consistent and in general faster as we care about performance not only in critical cases but at any time.
And last but not least if you have really a use case where you see a considerable optimization potential in implementing it manually: it is always possible to use an own implementation instead of the one we deliver.
Running on SAP HANA
If you are running on SAP HANA we offer you even more in the context of Floorplan Manager or SAP Gateway. In NW7.40 SP5 BOPF and the two UI tools have been connected closely via the Query Engine. In read only scenarios – and these are from a performance point of view the critical ones, if you think about instance based checks on lists – the engine circumvents the BOPF framework code completely but uses the meta data to create one SELECT statement on the database using:
- BOPF meta data – especially the associations, persistency definition and the authorization checks
- UI meta data – especially the mapping to the BOPF model
- UI state – e.g. which page to be displayed
- User profile information – what is the user allowed to see and to do
So we avoid copying data to the application server which the user is not allowed to see. Especially in mass data scenarios, the performance gain is considerable.
One remark on application architecture: Frameworks have many advantages, I do not want to elaborate on this further. But accessing the data always via frameworks may impact the performance of UIs in use cases where you have to deal with mass data dramatically. Taking into account that mass data are normally display scenarios, we achieve with our approach a – I dare say – perfect architecture: combining the advantages of the BOPF framework for transactional use cases and leveraging the meta data to optimize the data base access in read only scenarios.
Fig. 1 ABAP Application architecture on SAP HANA
The embedded authorization in BOPF documents the usage of authorization checks and cares about consistency and optimized performance. Especially in the case of running on SAP HANA our infrastructure takes advantages of the SAP HANA capabilities for optimizing the runtime at most.
For further information see the tutorial: How to Use Authority Checks in Business Object Processing Framework