Attribute based user authorization for document access in SAP LBN Global Track and Trace(LBN-GTT)
Today I am trying to address one of the most common requirement for an Logistics Business Network Global Track and Trace(LBN-GTT) customers – restrict access to documents based on some attributes on the tracked documents like display only sales orders where source plant is in country XX or display freight orders(shipments) where purchase organization is XYZ.
In the February release for LBN-GTT, there are new features introduced which makes this functional realization very easy.
Here I am planning to provide authorization for a set of users based on sales order(ship-to-part country) as an example. For this there will be two high-level steps
- Add a custom field (ZZ_FIELD)to GTT standard model and pass the ship-to-party country value from backend system(in this example, SAP S/4HANA)
- Use this custom field value as a base for authorizing user for sales orders- i.e.; restrict access to sales orders in GTT to a set users where order ship-to-party country is ‘US’.
You can refer my blog to realize step 1 on how to add a custom field(ZZ_FIELD) in LBN-GTT standard models.
In this blog, I am configuring the step 2. The major steps are as follows;
2.1 Create a new role and assign the required value as base for authorization(steps to do in BTP sub-account)
2.2 Assign role to role collection and assign role collection to user(steps to do in BTP Sub-account)
2.3 Enhance the standard model for tracked process ‘sales order’ to add role attribute (steps to do in LBN-GTT Manage Model app)
2.1 Create a new role and assign the required value as base for authorization(steps in BTP sub-account)
2.1.1 : Navigate to the SAP BTP sub-account where LBN-GTT is subscribed. On the left side panel, navigate to Security–>Roles (your user must have role ‘User and Role Administrator’ in this sub-account to view Security section). Search for role ‘ReadServiceAttributeTemplate’. Based on your subscription(customer/partner/test etc.), the application name may vary for this role. Under the column ‘Add Role’, click the Create Role link as shown below. In the screenshot I have already created the role, but for you the link will be against the ‘ReadServiceAttributeTempalate’ role name.
2.1.2 : Create Role popup will appear, provide a role name and description, click Next
2.1.3 : LBN-GTT allows up to 9 different attributes which can be used for user authorization. You can map these role authorization attributes to the GTT model business document attributes. In later steps. Here in this case, we just use one attribute gttUserAuthAttribute001. So we set all others as ‘Unrestricted’. And keep a static value for this attribute. Set a static value US(the value of custom field from sales order using which I want to restrict access). Don’t forget to press ‘Enter’ to make the Next button active.
2.2 : Assign the role to a role collection and based on your IdP setup, assign role collection to user or user groups.
2.3 Enhance the standard model for tracked process ‘sales order’ to add role attribute (steps in LBN-GTT Manage Model app)
2.3.1 : Login to LBN-GTT and navigate to ‘Manage Models’ app
2.3.2: select the standard model ‘gttft1’
2.3.3 : Click Edit on top right corner and select the ‘SalesOrder’ Tracked Process from the list of Standard tracked processes. You can see the ZZ_FIELD(we created in Step 1, refer blog ), under User Model Fields section. Click the pencil icon on the ZZ_FIELD row and select the gttUserAuthAttribute001 as role attribute. Remember when we create role in step 2.1.3, we selected this attribute and set a static value of ‘US’.
Click Save. Now the changes are saved in draft view of the model. You must deploy it to make the changes in effect. Click ‘Deploy’ button. It may takes couple of seconds to get it deployed. The status of the model will be Active once it is successfully deployed. You can also view the changes in the active model by switching the model view to ‘Deployed’ to make sure changes are done correctly.
We are done with the required configuration!
Now look at the sales order fulfillment app. A user with the new role we created at step 2.1.3, will see ONLY sales order with custom field value ‘US’
A user without having this role will see all sales orders irrespective of custom field value.