Kontakt

Ansicht
Dokumentation

ABENBDL_AUTHORIZATION_CONTEXT - BDL AUTHORIZATION CONTEXT

ABENBDL_AUTHORIZATION_CONTEXT - BDL AUTHORIZATION CONTEXT

Vendor Master (General Section)   TXBHW - Original Tax Base Amount in Local Currency  
This documentation is copyright by SAP AG.
SAP E-Book

- Authorization Context

Authorization Context

1. define authorization context ContextName
      $[${for disable(${modify$|read$|modify,read$})$}$]

{
   AuthObject1;
  $[AuthObject2;$]
  $[...$]
}

Full Authorization Context

2. define own authorization context by privileged mode;
$| define own authorization context by privileged mode and
  {$[AuthObject1;$] $[AuthObject2;$] $[...$]}
$| define own authorization context
  {$[ AuthObject1;$] $[AuthObject2;$] $[...$]}

Effect

A CDS behavior definition can define authorization contexts that list several authorization objects that are used for the ABAP statement AUTHORITY-CHECK OBJECT. There are different types of authorization context:

  • Container for authorization objects that lists one or more authorization objects. When an authorization context is activated, the authorization checks for all associated authorization objects always return the value authorized. That means, the respective authorization checks are skipped.

  • List of authorization objects which are checked by the implementation methods of the ABAP behavior pool itself, or by existing code that is called by the ABAP behavior pool implementation. The full authorization context documents the authorization objects used in the implementation of the RAP BO in question. This list is checked by certain RAP contract checks.

Certain technical authorization objects must not be used in an authorization context. They can only be used in full authorization contexts. This is indicated by a syntax check error.

Authorization objects are configured in transaction SU21. They can be enabled or disabled for usage in a full authorization context and in BDEF privileged mode. This configuration must be respected, otherwise, a syntax check warning occurs and when using strict mode 2, a syntax check error occurs.

Note

Connection between authorization context and full authorization context: Even though the syntax is similar, define authorization context and define own authorization context are not connected and have a different effect.

  • define authorization context defines a list of authorization objects that can be skipped in certain scenarios. This list might contain a subset of authorization objects of the full authorization context.
  • define own authorization context should be an exhaustive list of authorization objects that are part of the behavior pool or part of existing code which is called by the behavior pool. It might be a superset of the authorization context.
  • define authorization context ContextName for disable can contain authorization objects which are not part of the full authorization context. These authorization objects can be of a different technical type and they can always be skipped for read operations, or modify operations, or both.

Example

The following managed BDEF defines three authorization contexts:

  • Full authorization context: Lists all authorization objects used by the RAP BO implementation.
  • NoCheckWhenPrivileged: Lists authorization objects that can be skipped by a RAP BO consumer with privileged access. Subset of the full authorization context.
  • NoCheckWhenReadingorModifying: authorization objects that can be skipped in read or modify operations.

In this example, the authorization context NoCheckWhenPrivileged contains a subset of authorization objects of the full authorization context. The full authorization context documents all authorization objects that are used by a RAP BO implementation and NoCheckWhenPrivileged defines which ones of them can be skipped in privileged mode.






General Material Data   ABAP Short Reference  
This documentation is copyright by SAP AG.

Length: 7340 Date: 20240512 Time: 023858     sap01-206 ( 81 ms )