How to provide access control on custom Business Object

Background to Access Control and Context.


Business objects developed by SAP, in Business ByDesign, can have controlled access based on the Access Control List (ACL) node data associated with. ACL is a dependent object (DO) that can be associated with business object to provide controlled access. You can restrict the access to instances of business objects, be it read or write, based on certain predefined contexts like Employee, Company, Site etc. A user is assigned access on these access contexts which controls the operations that user can perform on business object instances.


For example business object ‘PurchaseOrder’ has an access context of Company. By default the access rights are ‘Unrestricted’ and user has rights for read and write purchase orders for all companies. To control the access user can be assigned access (in Application and User Management->Business Users->Edit Access Rights->Access Restrictions) to read and/or write on purchase orders belonging to certain set of companies. This brings in restricted access to business object.


/wp-content/uploads/2015/12/pic1_841918.png



The access context in above screen shot is 1007-Company and the Access Context UUID is the company UUID. This means that this instance of purchase order belongs to company 00145EF588E602DBB8B3AC44715E0CC1 and a user who has been given access rights of ‘Read’ for this company can only read the purchase order. If the write access is also given for this company, then user can write on this purchase order also.


Access control for partner developed business objects


The same function of providing controlled access can be achieved for Partner created business objects. There are two ways of doing so in Cloud Application Studio (CAS).


  1. Link the custom BO to a BO in standard which has the access context supported required for custom BO. This can be done using the following association in custom BO definition. This association helps to use the access context of Purchase Order for the custom BO without having to integrate the custom BO with ACL.                               [RelevantForAccessControl] association For_Access_Control to PurchaseOrder
  2. Second approach is to integrate the ACL dependent object with custom BO and use the concept just like standard business objects. But this approach only supports the access context ‘1010-Employee’ as of today.

How to integrate ACL with custom business object


In this write-up I will detail on second approach, mentioned above, to achieve controlled access to custom business object. The following example will be implemented as a part of this explanation.


Scenario: Partner has created a business object ‘PurchaseOrder’ and wants to control the access to it based on employee who created the instance. User PGREENE is allowed to only Read the records created by TWEBBER but can Read and Write records created by himself.


1. Create a solution in SDK.

2. Add a Business Object ‘PurchaseOrder’ to your solution and activate it. Define the BO as follows: The first three elements represents the employee ID, Name and Address of employee who created the PurchaseOrder instance. The element marked with annotation [AccessControlContext(Employee)] creates an association from ROOT node to ACL Dependent object. This ACL will have access context 1010-Employee and access context UUID  is copied from attribute ‘OwnEmployeeUUID’./wp-content/uploads/2015/12/pic2_841928.png

3. Add a script file (Event-AfterModify) to fill the attribute ‘OwnEmployeeUUID’ with the current employee’s UUID and then it gets passed to ACL node for controlled access./wp-content/uploads/2015/12/pic3_841929.png

4. Create screens on the business object.                                                                 

5. Open .uiwocview file in UI Designer /wp-content/uploads/2015/12/pic4_841934.pngby double clicking on it. Under properties tab, section RBAMData set the access context on WoC View to 1010-Employee. Select the QAF and OIF screens against Assigned objects. Save and Activate./wp-content/uploads/2015/12/pic5_841935.png

6. Open the OWL file in UI Designer. Under properties tab, section RBAMData select AccessControlledBusinessObject and remove the flag ‘UnrestrictedAccess’ which is set by default. This allows OWL to load only relevant data based on access rights./wp-content/uploads/2015/12/pic6_841936.png

7. On OWL screen SELECT_ALL query is set by default for loading the data, but this query does not have ACL attributes. Use the FSI query ‘QueryByElements’ as default query which is created implicitly with ROOT node to load the data. You can see that this query has already included the ACL node attributes to fetch relevant data. /wp-content/uploads/2015/12/pic7_841937.png

8. Set the RBAMData for QAF screen similar to OWL./wp-content/uploads/2015/12/pic8_841938.png

9. Assign the new WoC View to users and set the access rights as follows: For user PGREENE

    1. a. READ and WRITE access for PGREENE records
    2. b. Only READ access for TWEBBER records./wp-content/uploads/2015/12/pic9_841939.png/wp-content/uploads/2015/12/pic10_841943.pngPic11.png/wp-content/uploads/2015/12/pic12_841945.png

                                                                                                                                                                                                                                                       

10.     Create some instances of custom BO with user PGREENE and with Tony Webber. Test on UI by loading the OWL and QAF. In OWL PGREENE should be able to see records created by PGREENE and TWEBBER only  PGREENE tries to edit the record created by Tony Webber and gets the error: “Not Authorized” . /wp-content/uploads/2015/12/pic13_841947.png

/wp-content/uploads/2015/12/pic14_841948.png

Hope this blog was helpful for implementing the access control on custom Business Objects.

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Sunil Kumar Maurya

    Hi Babu,

    I cant see Details Restriction, In my case there is no Assign Group ID,

    How to bring data in Details Restriction

    I want a user to restricting to read a data or see it on OWL.

    Regards

    Sunil

    (0) 
  2. Fred K

    Hi Babu,

    Is it possible to change the error message in QA because it is difficult for the end user to understand?

    Best Regards,

    Fred

    (0) 

Leave a Reply