cancel
Showing results for 
Search instead for 
Did you mean: 

RAP: Instance authorization on create

ArneVH
Explorer
0 Kudos

Hi all,


Was wondering if anyone knows the best-practice way to implement instance authorization on create in the RAP-framework?
The documentation explicitly mentions create is not provided as there is no instance at create (yet). However there are still authorization checks we would like to do in our case...

For example: 'user not allowed to create item under this specific project because s/he is not assigned to this project'.

This can be implemented with validations/prechecks, which is what we're doing right now, but then the next question becomes why implement any instance authorization, and not simply everything with validations??

Kr,
Arne

Accepted Solutions (1)

Accepted Solutions (1)

Renzo
Advisor
Advisor
0 Kudos

There is a difference between "create" on root level or "create by association / composition", e.g. to create items under a specific project.

The latter is an instance-related operation and here also standard instance authorization and feature control is in place. You can find these create-operations in the %assoc component of the handler signature.

"create" on root is not an instance-operation, therefore here only global authorization and feature control is in place which is sufficient if a user does not have any authorization to manage a project at all. Instance-related checks based on the provided data (e.g. project type) can be done e.g. in the "precheck" or as part of the application logic (determination on modify to evaluate and validation to reject the save and issue messages).

ArneVH
Explorer
0 Kudos

Must've missed this somewhere, thanks!

ArneVH
Explorer
0 Kudos

Hi Renzo,

Upon further testing with the above mentioned solution I stumbled upon the problem that instance authorization on create for a child-node 2 deep is not possible?

We have: project (root) -> project customer -> project customer contact person

Both project customer and project customer contact person are authorization dependent by project

Upon create of a project customer contact person we do indeed go through the instance authorization of project, however in the result table we have no parameter for contact person under the %assoc parameter??

How should we indicate that the create is allowed/not allowed specifically for this child of a child??

Thanks!

Arne

Renzo
Advisor
Advisor
0 Kudos

Your observation is right. For entities that are "authorization dependent" all operations on these entities (that is create of sub-entities, update or delete and also actions if "authorization:update" is stated) are delegated to the authorization master's "update" operation. If you have specific (and usually more restrictive) authorization checks on sub-entity level you need to specify the related entity as "authorization master". This is a feature that may not yet be available in ABAP Cloud depending on your environment and behavior definition implementation type. If really intended you can help yourself with a "precheck" on the related create by composition-operation.

Answers (0)