Skip to Content
Technical Articles
Author's profile photo Abhishek Sharma

ABAP RAP – Instance Authorization

Hello,

In this beginner blog post we are going to see how we can use Authorizations (Instance Authorization) in ABAP Restful Application Programming Model.

 

Ref: https://help.sap.com/docs/BTP/923180ddb98240829d935862025004d6/2f888de9d96e44acbfde2936d2c8bf24.html

 

 

Instance Authorization

Instance authorization is used for all authorization checks, in addition to the user role. With instance authorization, you can define authorization on a field or operation (UPDATE, DELETE). Instance authorization is only possible for instance-based operations.

Instance authorization is not available for CREATE operation.

 

Step 1

Add Instance keyword in Behavior Definition file.

Define Instance authorization in the behavior definition and implement it in the behavior implementation class

 

 

Step 2

Add method in Behavior Definition Implementation class.

Use quick fix option available to generate the method declaration for the authorization control in the behavior Implementation from behavior definition editor.

 

Got new method Definition, which is used to put custom code for Authorization Check

 

Step 3

Implement GET_INSTANCE_AUTHORIZATION method with below code.

REQUESTED_AUTHORIZATION is Importing parameter which identified which authorization control is requested by user.

In our demo scenario we have requested UPDATE or EDIT authorization.

RESULT parameter is available which must be filled with AUTHORIZATION result.

 

  METHOD get_instance_authorizations.

  DATA: update_requested type abap_bool,
        update_grtanted TYPE abap_bool.

  READ ENTITIES OF zi_student_5000 IN LOCAL MODE
    ENTITY Student
    FIELDS ( Status ) WITH CORRESPONDING #( keys )
    RESULT DATA(studentadmitted)
    FAILED failed.
  CHECK studentadmitted is not initial.
  update_requested = COND #( WHEN requested_authorizations-%update = if_abap_behv=>mk-on OR
                                  requested_authorizations-%action-Edit = if_abap_behv=>mk-on THEN
                                  abap_true ELSE abap_false ).

  loop at studentadmitted ASSIGNING FIELD-SYMBOL(<lfs_studentadmitted>).
    if <lfs_studentadmitted>-Status = abap_false.
        if update_requested = abap_true.
            update_grtanted = is_update_allowed(  ).
            if update_grtanted = abap_false.
                APPEND VALUE #(  %tky = <lfs_studentadmitted>-%tky ) to failed-student.
                APPEND VALUE #( %tky = keys[ 1 ]-%tky
                                %msg = new_message_with_text(
                                    severity = if_abap_behv_message=>severity-error
                                    text = 'No Authorization to update status!!!'
                                )
                ) to reported-student.
            ENDIF.
        endif.
    endif.
  endloop.
  ENDMETHOD.

 

Testing Instance Auth. Implementation

 

Simulating IS_UPDATE_ALLOWED method for Authorization Object Check by returning ABAP_FALSE, which says Authorization check failed.

 

 

Run application and click on Set Admitted button.

 

Since the method IS_UPDATE_ALLOWED returned ABAP_FALSE, which is simulation for Actual Authorization Object returned ABAP_FALSE

Error message is displayed to user.

 

 

Previous Blog Post : Global Authorization in ABAP RAP

 

 

Thanks-

Abhishek

 

Assigned Tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo DurgaPrasanth vemula
      DurgaPrasanth vemula

      Hi Abhishek Sharma,

      I am getting the below error.Is any thing i missed.

       

      The data object "REQUESTED_AUTHORIZATIONS" does not have a component called "%ACTION-EDIT".

      thanks

       

      Author's profile photo Abhishek Sharma
      Abhishek Sharma
      Blog Post Author

      Hi Durgaprasanth,

      try to use auto suggest feature ( Carl + space ) to get

      requested_authorizations-%action-Edit

      Comment or share code if you still face issue.

      Hope this help…

       

      Thanks-

      Abhishek

       

       

      Author's profile photo Tristan Heisecke
      Tristan Heisecke

      Hi Abhishek,

      thank you for your helpful blog and video.

      Do you know if it is possible to use the information from the instance authorization in the feature control, that actions for which I am not authorized are also disabled?

       

      Thanks and Best Regards
      Tristan