Solved: Using BAPI for authorisation check

Former Member · ‎05-31-2010

Dear experts,

I am looking for your advice to to check whether a user have access to a business object or not. I am using BAPI to access a Business partner ID from CRM system. Sunsequently i am building the URLto display the Business Partner by passing crm-object-type (BP_ACCOUNT), crm-object-action (B), crm-object-value, crm-object-keyname and the saprole. However, not every user may have access to the BP_ACCOUNT by calling the function B (display). For example, the user with a profile SRV-Pro may execute the operation B on BP_ACCOUNT(step 1 in this [blog|http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/7467] [original link is broken] [original link is broken] [original link is broken]; ). Do you have any ideas, how can i perform an authorisation check by use of BAPI?

kind regards

Nicolai

Former Member · ‎05-31-2010

You can use RFC function module AUTHORITY_CHECK for general authorization checks (I'm not aware that there's a BAPI)...

martin_voros · ‎05-31-2010

Hi,

I am not sure if I understand what you want to achieve but you can check ABAP statement AUTHORITY-CHECK with addition FOR USER which gives you a way of testing authorization for different user. So if you use some RFC user to get BP partner then you can write your wrapper where you will pass user name to perform authorization check first.

Cheers

Former Member · ‎05-31-2010

Hi Martin, thanks for the answer.

I am using Jco to create a connection to CRM. That's why i am looking for BAPIs to perform this authorisation check. I intend to develop a kind of java-based search engine for Business Partner in CRM. The user enter a search query and the search engine should display the search results based on the user's authorisation check.

please share your thoughts

martin_voros · ‎05-31-2010

Hi,

you can develop your own BAPI and implement your own authorization checks there. Some BAPIS from SAP perform authorization checks (e.g. BAPi_USER_GET_DETAIL). The only problem I can see is that usually there is a special user assigned to RFC connection which has usually broader authorizations. Hence I proposed that you will implement your own BAPI where there will be an extra input parameter username and you will use this user name to check authorization. If you do it this way then you just need to assure in your java application that user can't influence this parameter and it will always be set to his user name.

Cheers

Former Member · ‎05-31-2010

You can use RFC function module AUTHORITY_CHECK for general authorization checks (I'm not aware that there's a BAPI)...

Former Member · ‎05-31-2010

Is the BAPI called in the user's own context?

This is the best and safest option, particularly if you are constructing the http request based on the results of any checks. The user might change the parameters and then the checks need to be beyond the boundary of their influence.

Which BOR object is it?

Cheers,

Julius

Former Member · ‎06-01-2010

Hi Julius,

the BOR object must be BUS1006 (Business Partner). So i want to check wether the user is authorised to display a Business Partner account or not. I want to use the FM "authority_check" by passing the User and an Authorisation Object for Business Partner (i do not know jet which Authorisation Object i can use for it).

martin_voros · ‎06-01-2010

Hi,

that business object call transaction BP for some methods such as Display or Edit. You can see all related authorization objects for transaction BP in SU24. Basically, we are talking about methods B_BUPA_*.

Cheers

Former Member · ‎06-01-2010

Hi Martin,

where can i basically look which business object calls which transaction?

martin_voros · ‎06-01-2010

Hi,

there is no easy way or I don't know that way. I just read code. You can display business object in SWO1. Usually, there are methods which correspond to dialog steps used in workflow. So I spotted methods Display and Edit and checked the source of these methods. If you have some basic debugging/reading code skills then it's not that hard to spot what is called.

Cheers

Former Member · ‎06-01-2010

Before we go further here... we need to clarify which part of the call is in which user context...

When users call your URL, are the checks against the service user (you have added them as parameters...) or only used to further determine the response for the BP. In this case, your web-frontend components must take care of the security initially.

Is the caller themselves authenticated at any point in the WS call?

Martin has a "coding" view on it and I am uncertain about your authentication context. If you provide more details, it would be usefull.

Cheers,

Julius

Former Member · ‎06-01-2010

Hi Julius,

here is my design:

1 the search engine logs on to the CRM system using a super user account and fetches some informations about the Business Partner.

2 Subsequenntly, the search engine builds the URLs for each Business Partner after this pattern:

http://<serverhost>:<port>/sap/crm_logon/default.htm?crm-object-type=BP_ACCOUNT&crm-object-action=B&...

3 Before a user can input a query to search for a Business Partner he/she is prompted to provide the credentials (username and passwort) for the CRM

4 These credentials are passed to the CRM. Using the credentials and a Authorisation Object i want to check which Business Partner the user is authorised to access. (For example, the user may be authorised to display only the Business Partner with a Business Role=EMPLOYEE). To perform this step i am looking for a BAPI

5 Subsequently, the search engine provides as search results only the business partner the user is authorised to access

6 By clicking on the URL the user can display a Business Partner in the WEB UI

I hope i culd explain my design. Thanks for help

Edited by: Nicolai Zaidman on Jun 1, 2010 10:13 PM

Edited by: Nicolai Zaidman on Jun 1, 2010 10:21 PM

martin_voros · ‎06-01-2010

Hi,

As far as I Understand your design then if WebUI performs authorization checks then it should be OK. If not then your design is vulnerable to guessing. The attacker get guess BP ID and display it without authorization. In that case I would suggest to use nonce to protect generated URLs.

Cheers

WolfgangJanzen · ‎06-01-2010


Hi Julius,
here is my design:
1 the search engine logs on to the CRM system using a super user account and fetches some informations about the Business Partner.

Well, that's where the trouble starts ...

Using a technical account which is authorized to access just any data is not an indicator for a good design.

>3 Before a user can input a query to search for a Business Partner he/she is prompted to provide the credentials (username and passwort) for the CRM

>

>4 These credentials are passed to the CRM. Using the credentials and a Authorisation Object i want to check which Business Partner the user is authorised to access. (For example, the user may be authorised to display only the Business Partner with a Business Role=EMPLOYEE). To perform this step i am looking for a BAPI

And that's the next issue ...

Prompting the user for credentials and passing them (unprotected?) to other systems is not a good idea.

How can a user go sure that his credentials are not misused?

gregorw · ‎06-02-2010

Hi Nicolai,

are you aware that there is a SAP standard solution which does exactly what you describe: SAP Enterprise Search. It connects to the different Back-end Systems, extracts the defined data and builds an index in Trex. When a user does a search, only the objects where the user has authorizations are returned.

What do you think will be the benefit of your external search engine? If you only need to search for CRM Business Partners I think the Users should be fine with the standard search in the CRM WebUI.

Best regards

Gregor

Former Member · ‎06-02-2010

Hi Gregor,

I am aware of the SAP Enterprise Search. I have to implement such a kind of search engine that can be used out of the SAP environment (JCO). I was looking for API to pass the search queries to the SAP Enterprise Search from a java programm, but i did not find anything. Is there any chance to use the SAP Enterprise Search from e.g a java programm (API?)

thank s for the help

Best regards

Nicolai

KarstenH · ‎06-07-2010

Hi Nicolai,

if we are talking "Embedded Search" here - the part of SAP NetWeaver Enterprise Search included in AS ABAP - you will have trouble accessing from a Java environment, I suppose.

The actual product SAP NetWeaver Enterprise Search (has to be separately licenced), which will collect and centralize all your "Embedded Search" indexes from your busienss suite systems, offers REST APIs (OpenSearch) for as well consumer as provider.

Best, Karsten

Former Member · ‎06-29-2010

Hi Karsten,

where can i find the description of the REST API to call the SAP NetWeaver Enterprise Search fro a Java Environment ? I could not find anything on the internet...

thank you in advance

Nicolai

Former Member · ‎06-30-2010

The REST API for the Enterprise Search can be found here :

http://help.sap.com/saphelp_nwes72/helpdata/EN/4a/a63d1ef7df5ff3e10000000a421937/content.htm

gregorw · ‎06-30-2010

Hi Nicolai,

unfortunately on the Page [Developing Applications That Consume Enterprise Search|http://help.sap.com/saphelp_nwes72/helpdata/EN/5b/8b5e48f6214767bea1c93be184b6c2/frameset.htm] there is only a link back to the SDN Page http://www.sdn.sap.com/irj/sdn/nw-search where I'm not able to find the REST API documentation. Have you a more concrete pointer?

Best regards

Gregor

Former Member · ‎06-30-2010

Hi Gregor,

in this article (http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/70bce92e-d355-2d10-9993-890bb7b19381) there are some informations about calling the OpenSearch interface from the SharePoint. I suppose this is the REST API. Unfortunately, i could not find a more precise description of this API.

best regards

Nicolai

Edited by: Nicolai Zaidman on Jul 1, 2010 8:45 AM

Former Member · ‎07-01-2010

A further helpfull article on OpenSearch-API can be found here

http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/90ddc85f-f000-2d10-e4b8-b0b256ec9...

Best regards

Nicolai