Data Access Management for Custom Business Objects
Custom Business Objects (CBO) is a Fiori application with which you can define custom business objects as per your requirements and manage them. CBO is basically a hierarchical set of database tables with an API for the creation, retrieval, update and deletion of data. For more detail about CBO please see https://developers.sap.com/group.abap-extensibiliy-cbo-cce-ccl.html.
If you store personal data in your CBO, it is legally required to have data protection. The CBO application now supports data access management by providing security features relevant to data protection, such as the blocking of data after the primary business purpose is completed and ensuring specific people have the appropriate access to blocked or active CBO instances.
In this blog post you are going to learn how to enable access management for your CBOs.
Check-marking Data Access Management
For each custom business objects, you can check-mark a Data Access Management option from the general information page.
Figure 1: Custom Business Object with Data Access Management
Check-marking Data Access Management will automatically check-mark System Administrative Data, Service Generation and Change Documents as well, as they are required for the process.
Why are they required? Changing the business purpose of instances is a quite critical. It is essential to record when and by whom the status of the instance was switched. This documentation of changing is done by Change Documents with System Administrative Data.
By check-marking Data Access Management, the “Lifecycle Status” field is automatically added to each node of custom business object. The idea of this field is to indicate the business purpose of the record in the system. The Lifecycle Status field is a text field and it can have the value ‘A’ for Active and ‘C’ for Purpose Completed. The initial value for the instances is always Active.
Figure 2: Lifecycle Status Field in Parent Node
Figure 3: Lifecycle Status Field in Child Node
Once a record has reached the end of its purpose, you can set the Lifecycle Status field to the purpose completed. This prevents the data from being processed any further. Blocked data cannot be deleted, changed or have actions performed on it. Only users who are assigned additional authorisations can have read access to blocked instances.
Check-marking Data Access Management with UI Generation
If the UI-Generation flag is checked, check-marking Data Access Management generates 2 different apps for business users and for auditors. At the end of the generation step, you will have apps with different access authorisations to records. The generated apps are;
The app *CustomBusinessObjectName*_SCBO is generated for business users. With this app, business users have the following authorisations only for instances whose Lifecycle Status is active;
|Activity||Activity Text||Access Category Code|
|01||Create or generate||Write|
To assign this app to business users, you can use the Maintain Catalogs link on the Custom Business Object general information page.
After the assignment of catalogs, a business user who has a catalog under their role will be able to have the listed activities for active CBO instances. They can create, change, and delete active data, or perform actions on them. However, they cannot read, change, or delete blocked data, or perform any actions on them.
The other generated CBO application *CustomBusinessObjectName*_SCBA is aimed for auditor users. They only have read access on both active and purpose completed instances.
|Activity||Activity Text||Access Category Code|
The assignment of the *CustomBusinessObjectName*_SCBA application to catalogs can not be done via the Maintain Catalogs link. You have to go to the Custom Catalog Extensions app and search for the *CustomBusinessObjectName*_SCBA application name. Then you need to assign a business catalog and publish it. Now a user who has the business role assigned to the catalog has read access to all CBO active and purpose completed records. They cannot create, change or delete both blocked and active data, or perform actions on them, they can only display instances.
Setting the Lifecycle Status for a Custom Business Object
Now the question arises; how can users change the lifecycle status for CBO instances? You can find all available documentation on setting the lifecycle status here: https://help.sap.com/viewer/0f69f8fb28ac4bf48d2b57b9637e81fa/1908.500/en-US/8afd58ed2fb84f0bbb02cccfb20f7b8c.html
As you can read in the documentation, setting the lifecycle status to purpose completed can be done via action or Write-API. Only in urgent cases, you can set the lifecycle status back to active from purpose completed, and you can only do it with Write-API. However, if your CBO has any association to a business partner (BuPa), and if the corresponding BuPa has already completed its business purpose, the Write-API will not be able to revert the completed purpose to active, and you will get an error. This check is proceeded to protect the consistency between BuPa and CBO instances.