Did you ever ask yourself why you can see data in transaction A but not in Report X? Or did you ever search desperately for authorization checks to configure the user roles? The SAP authority concept is very powerful but has one disadvantage: what is checked is buried in the code. It depends on the developers to keep the checks consistent all over the place and to document them. The PFCG traces are the most reliable information you have currently.

With BOPF this is different: in SAP Business Suite EHP7 authorization checks are integrated into the BOPF design time and executed by the framework. Just assign an authority object to the node of a business object, map the fields and the checks are performed automatically in all authorization relevant BOPF services. This solves our problems: the checks are documented and visible in the BO model and the checks are executed consistently – no surprises any more.

Checking authorizations is quite expensive, especially if you have to deal with mass data. In critical cases you may have put much energy for optimizing the code to avoid inacceptable performance results. So it is a challenge for us to be as fast as the manually optimized implementations are.

In the BOPF runtime we implemented several optimization strategies: the canonical one reduces the calls in buffering the results. In addition we implemented an equivalence group design, meaning that we execute the check for instances which are identical with respect to the check relevant attributes only once. And last but not least the standard implementation uses the priviledged mode. This means, that authorizations are only checked once at the beginning of a request. The user is then authorized to access the data necessary to fulfill the request – even if data from different nodes or business objects is requested - without further checks.

We monitor the performance constantly to find optimization potential and to avoid regressions. So I dare say that the BOPF solution is more consistent and in general faster as we care about performance not only in critical cases but at any time.

And last but not least if you have really a use case where you see a considerable optimization potential in implementing it manually: it is always possible to use an own implementation instead of the one we deliver.

If you are running on SAP HANA we offer you even more in the context of Floorplan Manager or SAP Gateway. In NW7.40 SP5 BOPF and the two UI tools have been connected closely via the Query Engine. In read only scenarios – and these are from a performance point of view the critical ones, if you think about instance based checks on lists - the engine circumvents the BOPF framework code completely but uses the meta data to create one SELECT statement on the database using:

So we avoid copying data to the application server which the user is not allowed to see. Especially in mass data scenarios, the performance gain is considerable.

One remark on application architecture: Frameworks have many advantages, I do not want to elaborate on this further. But accessing the data always via frameworks may impact the performance of UIs in use cases where you have to deal with mass data dramatically. Taking into account that mass data are normally display scenarios, we achieve with our approach a – I dare say – perfect architecture: combining the advantages of the BOPF framework for transactional use cases and leveraging the meta data to optimize the data base access in read only scenarios.

The embedded authorization in BOPF documents the usage of authorization checks and cares about consistency and optimized performance. Especially in the case of running on SAP HANA our infrastructure takes advantages of the SAP HANA capabilities for optimizing the runtime at most.

For further information see the tutorial: How to Use Authority Checks in Business Object Processing Framework