Solved: UME authorization on object level

Former Member · ‎11-17-2004

Hi,

I understand the concept of roles / actions / permissions in the UME, but this only means you have a permission or you don't have a permission.

What if (and thats the common case in my mind) I need object level permissions, like I have a hierarchy of application objects and the user only should have access to a branch of the object tree?

Is the application developer supposed to implement this solely himself or does UME support such scenarios when it comes to "how do I setup those permissions?" and "where are those permissions stored?" or in other words: Do I have to create a configuration UI in the application and store the permission data in our own database tables with saving the user id?

Regards

Bruno

Former Member · ‎11-17-2004

Bruno,

Take a look at com.sap.security.api.acl.* -- it contains necessary APIs backed with corresponding implementation for managing ACLs and verifying instance-based permissions.

Sure, this is only basic ACL stuff, the following tasks should be carried out by developer:

1. Invoking permissions checks in business methods.

2. Applying security to search-like operations (finders, relation traversal) on business objects (i.e. search result does not contains objects for which user has no at least "read" permission)

3. UI for maintaining own permissions hierarchy & manipulating ACL entries

All this stuff (and much more) already implemented within CAF framework, search corresponding SDN section(s).

Regards,

VS

P.S. I'm not sure exactly, but it seems that "roles/actions/permissions" model and ACL model completely disconnected. For example, permissions from first model has nothing to do with permissions defined in ACL manager. The only thing they have in common is that both work against the same UME principals. Seems, that both was designed by separate architects these have no way to contact each other << END_OF_RANT

Former Member · ‎12-11-2004

Hi Bruno,

I was just looking for the same topic - did you by now find out whether UME provides such a feature or not?

Regards,

Harald

Former Member · ‎11-18-2004

Hi Bruno

To give object level permissions,

0.Include the security API in your java build path.

com.sap.security.api.jar

1. you need to create a permission class which extends NamePermission for each object. Ex: Button B1. Have a permisson class for Button B1 in any of the package.

2. Create the UI elements and set the visibility property to a context attribute so that you can set the property at run time.

3. Get the user information in you view as follows

IWDClientUser user = null;

try{

user = WDClientUser.getCurrentUser();

}catch(WDUMException e){

e.getLocalizedMessage();

}

4. Now check whether the user has a permisson as follows

if (user.hasPermission(new ButtonB1("But1View")))

{

but1.setVisible(WDVisibility.VISIBLE);

}

5. Now create a XML file with permission as follows.

<PERMISSION CLASS="temp.authorization.perm.ButtonB1"

NAME="But1View" VALUE="*" />

</ACTION>

</BUSINESSSERVICE>

6. Deploy the XML File in the Visual administrator in services/Configuration Adapter/cluser-data/server/persistent/com.sap.security.core.ume.service

7. Restart the J2EE engine

8. Log on to UME Engine and try creating a role. There you can see the action you created in the XML file.

Assing the action to the role and assign the role to the user

9. Now only those users where the role you created is assined will be able to see the button.

Regards

NagaKishore

UME authorization on object level

Accepted Solutions (1)

Accepted Solutions (1)

Answers (2)

Answers (2)

Integrate an external task system to Cloud ALM.

Dropdown scripting

What is Capacity Units for SAP Build Code?

Re: Loading Reuse S1 Component from Manage Materia...

advance Data action to link two dimensions