cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization object for POST Service

jiteshmehta
Active Contributor

on ‎01-23-2015 6:20 AM

0 Kudos

Dear Experts

We have a scenario where we have two kind of service.

POST Service , which updates data in SAP- Create Operation in Gateway

Other Read Service which only reads data from SAP - GetEntity(Read) or GetEntity(Query)

We need to restrict set of users who will have only POST service Authorization.

We tried by using Z Authorization object which will be maintained for POST Service users with activity 10 POST and coding AUTHORITY-CHECK OBJECT in POST Service.

But it is not working. Users who is not having POST service authorization, still they are able to access and post(Create) data in SAP.

Any Ideas on what is going wrong or how we can achieve the requirement?

Regards

Jitesh

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

kammaje_cis
Active Contributor
‎01-23-2015 6:28 AM
0 Kudos

Jitesh,

Before answering the actual question,

Creating two services for two operations is very inefficient and unnecessary. You would basically have same entity and can perform all operations on the same entity within the same service.

Coming to authorization,

Authorization check needs to be done by the ABAP code in *DPC_EXT class's methods. If you want to restrict POST, then you would do this in *CREATE_ENTITY method.

Regards

Krishna

Show replies
Show replies
jiteshmehta
Active Contributor
‎01-23-2015 6:57 AM
0 Kudos

Thank you Krishna for your quick response

We are not creating two service for one purpose, business purpose is different for this two service.

we can say one is creating Purchase order or updating Z table and another is to read Material data.

Regarding Authorization part we have included auth object in *CREATE_ENTITY Method

still it is not working user who is not having authorization object assigned are also able to post data

Regards

Jitesh

aakash_neelaperumal2
Active Participant
‎01-23-2015 7:08 AM
0 Kudos

Jitesh,

Are you saying that the users who don't have access to POST also gets a pass in the authority check statement? if so there should be something wrong with the authorization object setup. Please confirm

kammaje_cis
Active Contributor
‎01-23-2015 7:10 AM
0 Kudos

Jitesh,

First step is to put a debug point and ensure that this statement is actually getting hit. If it is getting hit, then this is a pure ABAP and Security question.

If it  is not failing for users who are not supposed to run, that means users actually have authorization.

Check roles and profiles of the user.

Ask a Question