- SAP Managed Tags
Hello SAP Community,
Today, I faced a requirement to enable authorization checks for specific fields in the standard application for the Plant Maintenance (PM) module Change Maintenance Notification. This application is a Web Dynpro component (Technical Component ID: EAMS_WDA_ORDNTF_OIF).
The issue is that the search value help for the fields "Work Center" and "Work Center Plant" is not restricted by any authorization objects, unlike in the standard application Find Maintenance Notification (App ID: F2071).
The goal is to implement the same authorization check logic to ensure consistency across applications.
Let's begin by examining the working application.
When we trace the selection field "Main Work Center":
No open inspect elements (Network tab) via F12 then CTRL + L (Clear Network Log)
Then press Go button
We found the main entity set C_ObjPgMaintNotification very nice this is CDS view 🙂
Now lets find binding infos of our field Main Work Center
Press CTRL+SHIFT+ALT+S
Search for MainWorkCenterPlant in the CDS view C_ObjPgMaintNotification
Then navigate to its association _MaintNotificationTP it opens the CDS view I_MaintNotificationTP then navigate to the field _MainWorkCener and so on untill you end up in the CDS view I_MaintenanceNotification that contains the association _MainWorkCenter originally I_WorkCenter
Open I_WorkCenter CDS view we find the annotation @AccessControl.authorizationCheck:#CHECK which means there is and AccessControl entity with the same name 🙂
@EndUserText.label: 'Auto assigned mapping role for I_WorkCenter'
@MappingRole: true
define role I_WorkCenter {
grant select on I_WorkCenter
where ( Plant ) =
aspect pfcg_auth ( C_ARPL_WRK,
werks,
actvt = '03' )
and ( WorkCenterCategoryCode ) =
aspect pfcg_auth ( C_ARPL_ART,
ap_art );
}
Now, We will use these 3 auth objects in our custom code.
Additionally, we should handle the validation of these 2 fields upon manual inputs & save action
Right click on field Work Center => select Technical Help.
This dialog opens
Now click on Views & View Elements Tab
You'll find it marking our field in side panel => Scroll Down to VALUE_HELP property
Now Open this Search value jelp from SE11
We found our Search Help Exit where we can add implicit enhancement at end of function as follows:
Right click anywhere and Show Implicit Enhancement Options
Just Click on line 65 and Create enhancement from toolbar and select Declaration Mode from popup
Write Name for your Enhancement
Then write the logic as follows:
ENHANCEMENT 1 ZPM_WORK_CENTER_F4_ENH. "active version
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$"$\SE:(3) Function Module /PLMB/SPI_SHLP_F4IF_GEN_EXIT, End, Enhancement ZPM_WORK_CENTER_F4_ENH, Start A
*data record_tab_temp type table of SEAHLPRES.
DATA record_tab_temp LIKE TABLE OF record_tab.
DATA lv_plant TYPE char4.
DATA lv_work_center TYPE char8.
DATA lv_art TYPE ap_verwe.
*this search value name EAMS_SHLP_H_T001W => is for Work Center Plant
*this search value name EAMS_SHLP_CRAMN_ARBPL => is for work center
IF shlp-shlpname = 'EAMS_SHLP_CRAMN_ARBPL'.
LOOP AT record_tab ASSIGNING FIELD-SYMBOL(<fs>).
lv_plant = <fs>-string(4).
lv_work_center = <fs>-string+4(8).
AUTHORITY-CHECK OBJECT 'C_ARPL_WRK'
ID 'WERKS' FIELD lv_plant
ID 'ACTVT' FIELD '03'.
DATA(valid_WERKS) = COND #( WHEN sy-subrc = 0 THEN abap_true ELSE abap_false ).
* read lv_art from CRHD
SELECT SINGLE verwe FROM crhd INTO lv_art WHERE begda LE sy-datum AND endda GE sy-datum AND werks = lv_plant AND arbpl = lv_work_center.
AUTHORITY-CHECK OBJECT 'C_ARPL_ART'
ID 'AP_ART' FIELD lv_art.
DATA(valid_category) = COND #( WHEN sy-subrc = 0 THEN abap_true ELSE abap_false ).
AUTHORITY-CHECK OBJECT 'C_AFVG_APL'
id 'WERKS' field lv_plant "PLANT
ID 'ARBPL' FIELD lv_work_center "WORK CENTER
* ID 'PS_ACTVT' FIELD '03'
.
DATA(valid_WORK_CENTER) = COND #( WHEN sy-subrc = 0 THEN abap_true ELSE abap_false ).
IF valid_category = abap_true AND valid_WERKS = abap_true AND valid_WORK_CENTER = abap_true.
APPEND <fs> TO record_tab_temp.
ENDIF.
CLEAR: lv_work_center, lv_plant.
ENDLOOP.
REFRESH: record_tab.
APPEND LINES OF record_tab_temp TO record_tab.
ELSEIF shlp-shlpname = 'EAMS_SHLP_H_T001W'.
LOOP AT record_tab ASSIGNING <fs>.
lv_plant = <fs>-string+20(4).
* lv_work_center = <fs>-string+4(8).
AUTHORITY-CHECK OBJECT 'C_ARPL_WRK'
ID 'WERKS' FIELD lv_plant
ID 'ACTVT' FIELD '03'.
valid_WERKS = COND #( WHEN sy-subrc = 0 THEN abap_true ELSE abap_false ).
** read lv_art from CRHD
* SELECT SINGLE verwe FROM crhd INTO lv_art WHERE begda LE sy-datum AND endda GE sy-datum AND werks = lv_plant AND arbpl = lv_work_center.
* AUTHORITY-CHECK OBJECT 'C_ARPL_ART'
* ID 'AP_ART' FIELD lv_art.
* valid_category = COND #( WHEN sy-subrc = 0 THEN abap_true ELSE abap_false ).
* IF valid_category = abap_true AND valid_WERKS = abap_true.
IF valid_WERKS = abap_true.
APPEND <fs> TO record_tab_temp.
ENDIF.
CLEAR: lv_work_center, lv_plant.
ENDLOOP.
REFRESH: record_tab.
APPEND LINES OF record_tab_temp TO record_tab.
ENDIF.
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$"$\SE:(4) Function Module /PLMB/SPI_SHLP_F4IF_GEN_EXIT, End, Enhancement ZPM_WORK_CENTER_F4_ENH, End A
ENDENHANCEMENT.
ongratulations you managed to view the proper values according to authorization objects 🙂 !
Now we need to add the authority check also to the validation on field Work Center; fortunately we have standard validation in entered value and when we enter any non existing value it triggers below error!
Greaaat; lets use this message to trace
We found 3 possible messages:
Message Class | Message Number |
CNV_PE_S4 | 036 |
CR | 081 |
RM | 818 |
We have FM HTTP_DISPATCH_REQUEST As general FM opens in beginning of request coming from webdynbro app
to set watchpoints on.
Or just trying to dig more and check the save action implementation; Right click on save button and press Technical Help option then navigate to Component configuration (Current WD component/View)
Now open development object /PLMU/WDC_FRW_APPL_CNTRL from se80
You find the assistant class assigned /PLMU/WDC_FRW_APPL_CNTRL_ASSIST
Navigate to methods > CHECK_BEFORE_SAVE
Now you can set an external breakpoint then enter wrong value and press enter ; the debugger opens
Now set watchpoints of our messages as below
F8 (Execute)
Here you go
The FM CR_WORKSTATION_CHECK to be enhanced (put implicit enhancement at most end) The same logic used in previous f4 enhancement
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$"$\SE:(1) Function Module CR_WORKSTATION_CHECK, End A
*$*$-Start: (1)---------------------------------------------------------------------------------$*$*
ENHANCEMENT 1 ZPM_WORKCENTER_AUTH_ENH. "active version
*
DATA lv_art TYPE ap_verwe.
AUTHORITY-CHECK OBJECT 'C_ARPL_WRK'
ID 'WERKS' FIELD werks
ID 'ACTVT' FIELD '03'.
DATA(valid_WERKS) = COND #( WHEN sy-subrc = 0 THEN abap_true ELSE abap_false ).
* read lv_art from CRHD
SELECT SINGLE verwe FROM crhd INTO lv_art WHERE begda LE sy-datum AND endda GE sy-datum AND werks = werks AND arbpl = arbpl.
AUTHORITY-CHECK OBJECT 'C_ARPL_ART'
ID 'AP_ART' FIELD lv_art.
DATA(valid_category) = COND #( WHEN sy-subrc = 0 THEN abap_true ELSE abap_false ).
AUTHORITY-CHECK OBJECT 'C_AFVG_APL'
ID 'WERKS' FIELD werks "PLANT
ID 'ARBPL' FIELD arbpl "WORK CENTER
* ID 'PS_ACTVT' FIELD '03'
.
DATA(valid_WORK_CENTER) = COND #( WHEN sy-subrc = 0 THEN abap_true ELSE abap_false ).
IF valid_category = abap_false OR valid_WERKS = abap_false OR valid_WORK_CENTER = abap_false.
MESSAGE ID 'ZFIORI' TYPE msgty NUMBER 005
WITH arbpl werks RAISING not_found.
ENDIF.
ENDENHANCEMENT.
Dont forget to add/ create the message to your message class via SE91
Congratulations validation works now on save action or manual entry 🙂
Please feel free to add any observations / recommendations.
Regards,
Abdelrahman Zaki
| User | Count |
|---|---|
| 6 | |
| 5 | |
| 5 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 3 |
