Skip to Content
Author's profile photo Jerry Wang

How to implement dynamic access control based on custom BO using OWL

My series of Cloud Application Studio Blogs

Suppose I have a testBO with the following fields:
import AP.Common.GDT as apCommonGDT;
import AP.FO.BusinessPartner.Global;

businessobject TestBO {
[Label("Agreement ID")] [AlternativeKey] element AgreementID:ID;
		[Label("Start Date")] element StartDate:Date;
		[Label("Close Date")] element CloseDate:Date;
		[Label("Duration")] element Duration:NumberValue;
		[Label("IsOverDue")] element IsOverDue:Indicator;
		[Label("Quantity")] element Quantity: Quantity;
		[Label("ProductName")] element ProductName: LANGUAGEINDEPENDENT_EXTENDED_Text;
		[Label("DepartmentName")] [Transient] element DepartmentName:LANGUAGEINDEPENDENT_EXTENDED_Text;
		[DependentObject(AttachmentFolder)] node Attachment;
And here is some test data displayed in OWL:
Now I would like to achieve the dynamic access control below:
Suppose the currently logged on user has been assigned to an organization unit which is only allowed to sell product with name “Laptop”, then this business user SHOULD ONLY see those entries whose value in ProductName equals to Laptop as well. That is to say, the last two entries in above picture with ProductName Monitor should be filtered out.

How the restriction that only Laptop is allowed to sell for employees within a given Organization Unit

For demonstration purpose I just reuse the standard field “Department Name” to store the name of sellable product.
And I assign myself to this organization unit, which means Employee Jerry Wang is only allowed to sell Laptop.
Now I implement this dynamic access control into a new OWL named TestBORestricted_OWL.
Below is the achievement: I have put this new OWL into a new tab in Thing Inspector and once launched, only entries whose ProductName equal to Laptop are displayed. Other entries are filtered out due to the fact that this employee is not allowed to sell them.

Implementation Detail

Here below is step by step implementation detail:
1. Create an AfterLoading event in TestBO with mass enabled checkbox unselected,
And implement the following ABSL code to fill the transient field with product name which is allowed to sell for current logged on user.
import ABSL;
import AP.PC.IdentityManagement.Global;
import AP.FO.BusinessPartner.Global;

var queryByIdentityUUID = Identity.QueryByElements;
var queryByIdentityUUIDParameter = queryByIdentityUUID.CreateSelectionParams();
var queryByEmployeeBPUUID = Employee.QueryByIdentification;
var queryByEmployeeBPUUIDParameter = queryByEmployeeBPUUID.CreateSelectionParams();

if ( this.DepartmentName.IsInitial()){

	var id = Context.GetCurrentIdentityUUID().content;
	queryByIdentityUUIDParameter.Add( queryByIdentityUUID.UUID.content, "I", "EQ", id.ToString() );
	var result = queryByIdentityUUID.Execute(queryByIdentityUUIDParameter);
	var first = result.GetFirst(); // points to identity instance
	var person = first.Person;
	var bpUUId = person.UUID.content;
	queryByEmployeeBPUUIDParameter.Add( queryByEmployeeBPUUID.UUID.content, "I", "EQ", bpUUId.ToString());
	var employeeQueryResult = queryByEmployeeBPUUID.Execute(queryByEmployeeBPUUIDParameter);
	var EmployeeQueryResultCurrent = employeeQueryResult.GetFirst();
	if( EmployeeQueryResultCurrent.OrganisationalUnitAssignment.Count() > 0 ){
		var assignedOrg = EmployeeQueryResultCurrent.OrganisationalUnitAssignment.GetFirst();
		var org = assignedOrg.ToRoot;
	    // readOnly in AfterLoading event
	   this.DepartmentName  = org.NameAndAddress.AddressSnapshot.NameSuitableForLogonLanguage.GetFirst().Name.SecondLineName;
2. In new TestBORestricted_OWL, create a new field ProductName under search structure SearchParameters.
Bind the query to QueryByElements modelled in TestBO and bind the query parameter ProductName to the field ProductName under SearchParameters.
Create a new inport and bind the parameter to the field mentioned above as well.
3. Create a new outport in Thing Inspector, bind the parameter productName with the transient field DepartmentName filled in step 1.
Create a new tab in Thing Inspector and drag the new OWL into it. Click Bind button:
Bind the parameter of outport defined in TI with the one in inport of new OWL.
With all the steps above done, the sellable product name calculated by ABSL is passed from TI to new OWL via parameter passing during navigation, and could be considered during the query of new OWL is executed. As a result the restriction takes effect due to this ProductName search parameter.

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.