ABAP RAP – Instance Authorization

Hello,

In this beginner blog post we are going to see how we can use Authorizations (Instance Authorization) in ABAP Restful Application Programming Model.

Ref: https://help.sap.com/docs/BTP/923180ddb98240829d935862025004d6/2f888de9d96e44acbfde2936d2c8bf24.html

Instance Authorization

Instance authorization is used for all authorization checks, in addition to the user role. With instance authorization, you can define authorization on a field or operation (UPDATE, DELETE). Instance authorization is only possible for instance-based operations.

Instance authorization is not available for CREATE operation.

Step 1

Add Instance keyword in Behavior Definition file.

Define Instance authorization in the behavior definition and implement it in the behavior implementation class

Step 2

Add method in Behavior Definition Implementation class.

Use quick fix option available to generate the method declaration for the authorization control in the behavior Implementation from behavior definition editor.

Got new method Definition, which is used to put custom code for Authorization Check

Step 3

Implement GET_INSTANCE_AUTHORIZATION method with below code.

REQUESTED_AUTHORIZATION is Importing parameter which identified which authorization control is requested by user.

In our demo scenario we have requested UPDATE or EDIT authorization.

RESULT parameter is available which must be filled with AUTHORIZATION result.

  METHOD get_instance_authorizations.

  DATA: update_requested type abap_bool,
        update_grtanted TYPE abap_bool.

  READ ENTITIES OF zi_student_5000 IN LOCAL MODE
    ENTITY Student
    FIELDS ( Status ) WITH CORRESPONDING #( keys )
    RESULT DATA(studentadmitted)
    FAILED failed.
  CHECK studentadmitted is not initial.
  update_requested = COND #( WHEN requested_authorizations-%update = if_abap_behv=>mk-on OR
                                  requested_authorizations-%action-Edit = if_abap_behv=>mk-on THEN
                                  abap_true ELSE abap_false ).

  loop at studentadmitted ASSIGNING FIELD-SYMBOL(<lfs_studentadmitted>).
    if <lfs_studentadmitted>-Status = abap_false.
        if update_requested = abap_true.
            update_grtanted = is_update_allowed(  ).
            if update_grtanted = abap_false.
                APPEND VALUE #(  %tky = <lfs_studentadmitted>-%tky ) to failed-student.
                APPEND VALUE #( %tky = keys[ 1 ]-%tky
                                %msg = new_message_with_text(
                                    severity = if_abap_behv_message=>severity-error
                                    text = 'No Authorization to update status!!!'
                                )
                ) to reported-student.
            ENDIF.
        endif.
    endif.
  endloop.
  ENDMETHOD.

Testing Instance Auth. Implementation

Simulating IS_UPDATE_ALLOWED method for Authorization Object Check by returning ABAP_FALSE, which says Authorization check failed.

Run application and click on Set Admitted button.

Since the method IS_UPDATE_ALLOWED returned ABAP_FALSE, which is simulation for Actual Authorization Object returned ABAP_FALSE

Error message is displayed to user.

Previous Blog Post : Global Authorization in ABAP RAP

Thanks-

Abhishek