Execute Business Configuration Service and Implement Authorization Check for Modify Operations

0 %

Execute Business Configuration Service and Implement Authorization Check for Modify Operations

Details

Execute Business Configuration Service and Implement Authorization Check for Modify Operations

Requires Customer/Partner License

Merve Temel

February 22, 2021

Created by

February 18, 2021

Beginner

20 min.

Register your business configuration in SAP Fiori Launchpad. Provide authorizations for a business configuration and implement an authorization check for modify operations.

You will learn

How to execute class to register business configuration
How to define authorization check for read operations
How to provide authorizations for a business configuration
How to implement authorization check for modify operations

Prerequisites

You need a SAP BTP, ABAP environment license.

The Maintain Business Configurations app serves as an entry point to the configuration objects provided by different applications or partners. You can use the app to adjust these configuration objects to change and influence the system behavior.

HINT: You don’t need to create your own Fiori app for a Business Configuration service if you are using the Maintain Business Configurations app

Step 1: Execute class to register business configuration

View Full Instructions

You can now register your service with this app via the Maintain Business Configurations API.

Right-click on Classes and select New > ABAP Class.
Create a new ABAP class:
- Name: ZCL_CAL_REGISTER_BC_XXX
- Description: Class for business configuration
Click Next >.
Click Finish.

Enter the correct data for iv_namespace and iv_transport in your global class. iv_transport is your transport request, which you can find in the transport organizer. You can use iv_namespace to set your namespace.

CLASS zcl_cal_register_bc_xxx DEFINITION
  PUBLIC
  INHERITING FROM cl_xco_cp_adt_simple_classrun
  FINAL
  CREATE PUBLIC .

  PUBLIC SECTION.
  PROTECTED SECTION.
    METHODS: main REDEFINITION.
  PRIVATE SECTION.
ENDCLASS.

CLASS zcl_cal_register_bc_xxx IMPLEMENTATION.

  METHOD main.

    DATA(lo_business_configuration) = mbc_cp_api=>business_configuration(
      iv_identifier = 'ZCAL'
      iv_namespace  = '' ).

    TRY.
        lo_business_configuration->create(
          iv_name                  = 'Z_CAL_MANAGED_XXX'
          iv_description           = 'Public Holiday Calendar'
          iv_service_binding       = 'ZCAL_UI_HOLIDAY_XXX'
          iv_service_name          = 'ZCAL_UI_HOLIDAY_XXX'
          iv_service_version       = 0001
          iv_root_entity_set       = 'HolidayRoot'
          iv_transport             = ''
        ).
        out->write( 'done' ).
      CATCH cx_mbc_api_exception INTO DATA(lx_err).
        out->write( lx_err ).
    ENDTRY.
  ENDMETHOD.
ENDCLASS.

Save and activate.
Execute the class by pressing F9. Now you should see following in the ABAP console.
Log on to the ABAP system and start the Maintain Business Configurations app. Search for Z_CAL_MANAGED_XXX to see your business configuration.

When selecting the entry, an user interface identical to the preview app of the service is rendered.

Done

Log on to answer question

Step 2: Define authorization check for read operations

View Full Instructions

Authorization control in RAP protects your business object against unauthorized access to data.

To protect data from unauthorized read access, the ABAP CDS provides its own authorization concept based on a data control language (DCL). To restrict read access to RAP business objects, it is sufficient to model DCL for the CDS entities used in RAP business objects.

In the project explorer, right click on Data Definitions and select New > Access Control.
Create a new access control:
- Name: ZCAL_I_HOLIDAY_XXX
- Description: Access control for cds view
Click Next >.
Click Next >.
Select Define Role with PFCG Aspect as template and click Finish.

Define the check on authorization object S_TABU_NAM with activity 03 (read) and table equal to the name of your root CDS View.

@EndUserText.label: 'Access control for cds view'
@MappingRole: true
define role ZCAL_I_HOLIDAY_XXX {
  grant
    select
      on
        ZCAL_I_HOLIDAY_XXX
          where
            ( ) = aspect pfcg_auth( S_TABU_NAM, TABLE = 'ZCAL_I_HOLIDAY_XXX', ACTVT = '03' );

}

Save and activate.
In the project explorer, right click on Data Definitions and select New > Access Control.
Create a new access control:
- Name: ZCAL_C_HOLIDAY_XXX
- Description: Access control for projection view holiday
Click Next >.
Click Next >.
Select Define Role with inherited Conditions as template and click Finish.

Choose ZCAL_I_HOLIDAY_XXX as the entity where the conditions are inherited.

@EndUserText.label: 'Access control for projection view holiday'
@MappingRole: true
define role ZCAL_C_HOLIDAY_XXX {
  grant
    select
      on
        ZCAL_C_HOLIDAY_XXX
          where
            inheriting conditions from entity ZCAL_I_HOLIDAY_XXX;

}

Save and activate.
In the project explorer, right click on Data Definitions and select New > Access Control.
Create a new access control:
- Name: ZCAL_I_HOLIDAYTXT_XXX
- Description: Access control for CDS view holiday text
Click Next >.
Click Next >.
Select Define Role with inherited Conditions as template and click Finish.

Choose ZCAL_I_HOLIDAY_XXX as the entity where the conditions are inherited.

@EndUserText.label: 'Access control for cds view holiday text'
@MappingRole: true
define role ZCAL_I_HOLIDAYTXT_XXX {
  grant
    select
      on
        ZCAL_I_HOLIDAYTXT_XXX
          where
            inheriting conditions from entity ZCAL_I_HOLIDAY_XXX;

}

Save and activate.
In the project explorer, right click on Data Definitions and select New > Access Control.
Create a new access control:
- Name: ZCAL_C_HOLIDAYTXT_XXX
- Description: Access control for holiday text
Click Next >.
Click Next >.
Select Define Role with inherited Conditions as template and click Finish.

Replace your code with following.

@EndUserText.label: 'Access control for holiday text'
@MappingRole: true
define role ZCAL_C_HOLIDAYTXT_XXX {
  grant
    select
      on
        ZCAL_C_HOLIDAYTXT_XXX
          where
            inheriting conditions from entity ZCAL_I_HOLIDAYTXT_XXX;

}

Save and activate.

Done

Log on to answer question

Step 3: Provide authorizations for a business configuration

Right-click on Z_CALENDAR_XXX and select New > Other ABAP Repository Object.
Search for IAM App, select it and click Next >.
Create a new IAM app:
- Name:ZCAL_UI_HOLIDAY_O4_XXX
- Description: IAM App for factory calendar
- Application Type: MBC - Business Configuration App
Click Next >.
Click Finish.
Select Services and add a new service to the IAM App.
Add service to IAM app:
- Service Type: OData V4
- Service Name: ZCAL_UI_HOLIDAY_XXX
Click OK.
Select Authorization and add an authorization object to the IAM App.
Search for S_TABU_NAM and click OK to add the authorization object.
Click S_TABU_NAM and add Display to ACTVT and ZCAL_I_HOLIDAY_XXX to TABLE.
Save, activate and publish the IAM app.
Right-click on Z_CALENDAR_XXX and select New > Other ABAP Repository Object.
Search for Business Catalog, select it and click Next >.
Create a new business catalog:
- Name: Z_BC_HOLIDAY_XXX
- Description: Business catalog for holiday
Click Next >.
Click Finish.
Select Apps and add a new app to the business catalog.
Add app to business catalog:
- IAM App: ZCAL_UI_HOLIDAY_O4_XXX_MBC
- Name: Z_BC_HOLIDAY_XXX_0001
- Description: Business Catalog to IAM App assignment
Click Next >.
Click Finish.
Click Publish Locally.

Once you have created the IAM app and business catalog, assign the catalog to a business role on the SAP Fiori Launchpad by following this user guide. Finally, follow this user guide to assign the business role to business users to grant the rights to use your business configuration inside the maintain business configurations SAP Fiori app.

Done

Log on to answer question

Step 4: Implement authorization check for modify operations

View Full Instructions

In RAP business objects, modifying operations, such as standard operations and actions can be checked against unauthorized access during runtime.

Open behavior definition ZCAL_I_HOLIDAY_XXX and add authorization master( global ) to the root entity and authorization dependent by _Public_Holiday to the text entity.

managed with additional save implementation in class zbp_cal_i_holiday_xxx unique;
with draft;

define behavior for ZCAL_I_HOLIDAY_XXX alias HolidayRoot
persistent table zcal_holiday_xxx
draft table zcal_d_holi_xxx
lock master total etag last_changed_at
authorization master( global )
etag master local_last_changed_at
{
  create;
  update;

  field ( readonly : update ) HolidayId;
  field ( readonly ) configdeprecationcode;

  association _HolidayTxt { create; with draft; }

  validation val_transport on save
  { create; update; delete; }

  action ( features : instance ) deprecate result [1] $self;
  delete ( features : global );

  mapping for zcal_holiday_xxx corresponding
  {
    HolidayId = holiday_id;
    MonthOfHoliday = month_of_holiday;
    DayOfHoliday = day_of_holiday;
  }
}

define behavior for ZCAL_I_HOLIDAYTXT_XXX alias HolidayText
persistent table zcal_holitxt_xxx
draft table zcal_d_holit_xxx
authorization dependent by _Public_Holiday
etag dependent by _Public_Holiday
lock dependent by _Public_Holiday
{
  update;
  delete;
  field ( readonly : update ) HolidayId;
  field ( readonly : update ) Language;

  association _Public_Holiday { with draft; }

  validation val_transport on save
  { create; update; delete; }

  mapping for zcal_holitxt_xxx corresponding
  {
    Language = spras;
    HolidayId = holiday_id;
    HolidayDescription = fcal_description;
  }
}

Place the cursor on ZCAL_I_HOLIDAY_XXX and use the quick assist CTRL+1 to create the missing method.

Your local types should look like this:

CLASS lsc_zcal_i_holiday_xxx DEFINITION INHERITING FROM cl_abap_behavior_saver.

  PROTECTED SECTION.

    METHODS save_modified REDEFINITION.

ENDCLASS.

CLASS lsc_zcal_i_holiday_xxx IMPLEMENTATION.

  METHOD save_modified.
  zcl_bc_transport_api_f_xxx=>get_transport_api( use_table_scomp_transport = abap_false )->transport(
      table_entity_relations = VALUE #( ( table = 'ZCAL_HOLIDAY_XXX'    entity = 'HOLIDAYROOT' )
                                        ( table = 'ZCAL_HOLITXT_XXX'    entity = 'HOLIDAYTEXT' ) )
      create                 = REF #( create )
      update                 = REF #( update )
      delete                 = REF #( delete )
  ).
  ENDMETHOD.

ENDCLASS.

CLASS lhc_holidaytext DEFINITION INHERITING FROM cl_abap_behavior_handler.

  PRIVATE SECTION.

    METHODS val_transport FOR VALIDATE ON SAVE
      IMPORTING keys FOR HolidayText~val_transport.

ENDCLASS.

CLASS lhc_holidaytext IMPLEMENTATION.

  METHOD val_transport.
    DATA create TYPE TABLE FOR CREATE zcal_i_holidaytxt_xxx.
    zcl_bc_transport_api_f_xxx=>get_transport_api( use_table_scomp_transport = abap_false )->validate(
        table_entity_relation = VALUE #( table = 'ZCAL_HOLITXT_XXX' entity = 'HOLIDAYTEXT' )
        keys                  = REF #( keys )
        reported              = REF #( reported )
        failed                = REF #( failed )
        create                = REF #( create )
    ).
  ENDMETHOD.

ENDCLASS.

CLASS lhc_HolidayRoot DEFINITION INHERITING FROM cl_abap_behavior_handler.
  PRIVATE SECTION.

   CONSTANTS:
    BEGIN OF config_code,
      valid    TYPE config_deprecation_code VALUE '',
      obsolete TYPE config_deprecation_code VALUE 'W',
      not_valid TYPE config_deprecation_code VALUE 'E',
    END OF config_code.

    METHODS get_instance_features FOR INSTANCE FEATURES
      IMPORTING keys REQUEST requested_features FOR HolidayRoot RESULT result.
    METHODS val_transport FOR VALIDATE ON SAVE
      IMPORTING keys FOR holidayroot~val_transport.
    METHODS deprecate FOR MODIFY
      IMPORTING keys FOR ACTION holidayroot~deprecate RESULT result.
    METHODS get_global_features FOR GLOBAL FEATURES
      IMPORTING REQUEST requested_features FOR holidayroot RESULT result.
    METHODS get_global_authorizations FOR GLOBAL AUTHORIZATION
      IMPORTING REQUEST requested_authorizations FOR holidayroot RESULT result.

ENDCLASS.

CLASS lhc_HolidayRoot IMPLEMENTATION.

  METHOD get_instance_features.
  READ ENTITIES OF zcal_i_holiday_xxx IN LOCAL MODE
  ENTITY HolidayRoot
    FIELDS ( configdeprecationcode ) WITH CORRESPONDING #( keys )
  RESULT DATA(holidays)
  FAILED failed.

  result =
    VALUE #(
      FOR holiday IN holidays
        LET deprecate =  COND #( WHEN holiday-configdeprecationcode = config_code-valid
                                  THEN if_abap_behv=>fc-o-enabled
                                  ELSE if_abap_behv=>fc-o-disabled  )
        IN
          ( %tky                 = holiday-%tky
            %action-deprecate = deprecate
           ) ).
  ENDMETHOD.

  METHOD val_transport.
    DATA create TYPE TABLE FOR CREATE zcal_i_holiday_xxx.
    zcl_bc_transport_api_f_xxx=>get_transport_api( use_table_scomp_transport = abap_false )->validate(
        table_entity_relation = VALUE #( table = 'ZCAL_HOLIDAY_XXX' entity = 'HOLIDAYROOT' )
        keys                  = REF #( keys )
        reported              = REF #( reported )
        failed                = REF #( failed )
        create                = REF #( create )
    ).
  ENDMETHOD.

  METHOD deprecate.
   MODIFY ENTITIES OF zcal_i_holiday_xxx IN LOCAL MODE
  ENTITY HolidayRoot
     UPDATE
       FIELDS ( configdeprecationcode )
       WITH VALUE #( FOR key IN keys
                       ( %tky         = key-%tky
                         configdeprecationcode = config_code-obsolete ) )
  FAILED failed
  REPORTED reported.

  READ ENTITIES OF zcal_i_holiday_xxx IN LOCAL MODE
    ENTITY HolidayRoot
      ALL FIELDS WITH CORRESPONDING #( keys )
    RESULT DATA(holidays).

  result = VALUE #( FOR holiday IN holidays
                      ( %tky   = holiday-%tky
                        %param = holiday ) ).
  ENDMETHOD.

  METHOD get_global_features.
     result = VALUE #( %delete = if_abap_behv=>fc-o-disabled ).
  ENDMETHOD.

  METHOD get_global_authorizations.
     zcl_bc_transport_api_f_xxx=>get_bc_authorization( )->get_global_authorization(
         cds_view_name = 'ZCAL_I_HOLIDAY_XXX'
         result        = REF #( result ) ).
  ENDMETHOD.

ENDCLASS.

Save. Activation not yet possible.
In the project explorer, right click on Interfaces and select New > ABAP Interface.
Create a new ABAP interface:
- Name: ZIF_BC_AUTHORIZATION_XXX
- Description: Authorization interface
Click Next >.
Click Finish.

Replace your code with following:

INTERFACE zif_bc_authorization_xxx
  PUBLIC .
  METHODS
    get_global_authorization
      IMPORTING
        cds_view_name TYPE tabname
        result       TYPE REF TO data.
ENDINTERFACE.

Save and activate the interface.

Open class ZCL_BC_TRANSPORT_API_F_XXX and add new method get_bc_authorization.

CLASS ZCL_BC_TRANSPORT_API_F_XXX DEFINITION PUBLIC FINAL CREATE PUBLIC
   GLOBAL FRIENDS zth_bc_injector_xxx.
  PUBLIC SECTION.
    CLASS-METHODS get_transport_api
      IMPORTING
        client_field    TYPE string DEFAULT 'CLIENT'
        use_table_scomp_transport type abap_bool DEFAULT abap_false
      RETURNING
        VALUE(result) TYPE REF TO zif_bc_transport_api_xxx.
    CLASS-METHODS get_bc_authorization
      RETURNING VALUE(result) TYPE REF TO zif_bc_authorization_xxx.
  PRIVATE SECTION.
    CLASS-DATA transport_api TYPE REF TO zif_bc_transport_api_xxx.
    CLASS-DATA bc_authorization TYPE REF TO zif_bc_authorization_xxx.
ENDCLASS.

CLASS ZCL_BC_TRANSPORT_API_F_XXX IMPLEMENTATION.

  METHOD GET_BC_AUTHORIZATION.
    IF bc_authorization IS BOUND.
      result = bc_authorization.
    ELSE.
      result = NEW zcl_bc_authorization_xxx( ).
    ENDIF.
  ENDMETHOD.

  METHOD get_transport_api.
    IF transport_api IS BOUND.
      result = transport_api.
    ELSE.
      result = NEW zcl_bc_transport_api_xxx(
        client_field        = client_field
        use_table_scomp_transport = use_table_scomp_transport
      ).
    ENDIF.
  ENDMETHOD.
ENDCLASS.

Save. Activation yet not possible.
Right-click on Classes and select New > ABAP Class.
Create a new ABAP class:
- Name: ZCL_BC_AUTHORIZATION_XXX
- Description: Class for authorization
Click Next >.
Click Finish.

Replace your code with following:

CLASS zcl_bc_authorization_xxx DEFINITION
  PUBLIC
  FINAL
  CREATE PROTECTED GLOBAL FRIENDS zcl_bc_transport_api_f_xxx.

  PUBLIC SECTION.

    INTERFACES zif_bc_authorization_xxx .
  PROTECTED SECTION.
  PRIVATE SECTION.
ENDCLASS.

CLASS zcl_bc_authorization_xxx IMPLEMENTATION.

  METHOD zif_bc_authorization_xxx~get_global_authorization.
    AUTHORITY-CHECK OBJECT 'S_TABU_NAM' ID 'TABLE' FIELD cds_view_name ID 'ACTVT' FIELD '02'.
    DATA(is_authorized) = COND #( WHEN sy-subrc = 0 THEN if_abap_behv=>auth-allowed
                                  ELSE if_abap_behv=>auth-unauthorized ).
    ASSIGN result->* TO FIELD-SYMBOL(<result_structure>).
    ASSIGN COMPONENT cl_abap_behv=>co_techfield_name-create OF STRUCTURE <result_structure> TO FIELD-SYMBOL(<comp>).
    IF sy-subrc = 0.
      <comp> = is_authorized.
    ENDIF.
    ASSIGN COMPONENT cl_abap_behv=>co_techfield_name-update OF STRUCTURE <result_structure> TO <comp>.
    IF sy-subrc = 0.
      <comp> = is_authorized.
    ENDIF.
    ASSIGN COMPONENT cl_abap_behv=>co_techfield_name-delete OF STRUCTURE <result_structure> TO <comp>.
    IF sy-subrc = 0.
      <comp> = is_authorized.
    ENDIF.
    ASSIGN COMPONENT cl_abap_behv=>co_techfield_name-action OF STRUCTURE <result_structure> TO FIELD-SYMBOL(<action_comp>).
    IF sy-subrc = 0.
      DATA comp TYPE i.
      DO.
        comp += 1.
        ASSIGN COMPONENT comp OF STRUCTURE <action_comp> TO <comp>.
        IF sy-subrc = 0.
          <comp> = is_authorized.
        ELSE.
          EXIT.
        ENDIF.
      ENDDO.
    ENDIF.
  ENDMETHOD.
ENDCLASS.

Save and activate all inactive objects.

Edit class ZTH_BC_INJECTOR_XXX.

CLASS zth_bc_injector_xxx DEFINITION
  PUBLIC
  FINAL
  FOR TESTING
  CREATE PUBLIC .

  PUBLIC SECTION.
    CLASS-METHODS set_transport_api IMPORTING transport_api TYPE REF TO zif_bc_transport_api_xxx.
    CLASS-METHODS set_bc_auth      IMPORTING bc_auth      TYPE REF TO zif_bc_authorization_xxx.
  PROTECTED SECTION.
  PRIVATE SECTION.
ENDCLASS.

CLASS zth_bc_injector_xxx IMPLEMENTATION.
  METHOD set_bc_auth.
    zcl_bc_transport_api_f_xxx=>bc_authorization = bc_auth.
  ENDMETHOD.

  METHOD set_transport_api.
    zcl_bc_transport_api_f_xxx=>transport_api = transport_api.
  ENDMETHOD.
ENDCLASS.

Save and activate
Restart your app, try to create a new configuration entry. You will get the error message You are not authorized for this modification.
Edit your previously created IAM app. Add Change for ACTVT of Authorization Object S_TABU_NAM and save.
Logout from Fiori Launchpad if you are using the Maintain Business Configurations app or close & re-open your ADT project if you are using the preview of the service binding. Try to create a new configuration entry. You are once again authorized to create a new configuration entry.