Authorization Tests for FIORI Analytical Apps
Data Security is one of the crucial aspects which have to be ensured in any Business Process and we achieve the same via one of the methods called Authorization Tests.
Authorization Tests is one of the very important tests to be performed in any of the application, hence for FIORI also it means the same. But in FIORI since the architecture is very complex where the data flows between SOH (SuiteOnHANA), HANA VDM’s , XSodata and FIORI Shell. So the Authorizations have to be tested at each level to ensure the Data Security.
We carry out the Authorization test basically for all three archetypes and in this blog I am mainly focusing on Type II:Analytical Fiori archetype.
In this blog, I would explain how authorization tests can be performed for Analytical Apps which uses HANA VDM’s for retrieval of data.
- List all the Query Views used in Analytical App.
2. EnsureAnalytics MetaData is maintained for the respective Query views
Here Authorization Object has to be mapped with Field type( Attribute/Activity) , Field Name (DataElement/Actvt), Activity Value (Display, Displaydates) and Attribute name(Field)
3. Two Users are required with specific roles in HANA and backend test system
a. Authorization Granting User (For E.g. USERA)
b. Test User (For E.g. USERB)
Roles required in HANA system for USERA
Roles required in HANA system for USERB
- HANA repository roles for the app
- role sap.hba.apps.kpi.r.roles::SAP_SMART_BUSINESS_RUNTIME (if KPI framework is used)
4. Open PFCG transaction in Backend test system and create a Z role with the respective Authorization Objects assigned to the Query View and restrict the data of your choice and assign the USERB to the Role, perform User comparison and generate the profile
5. Open HANA Studio and Generate Analytic Privileges(AP) for the Query view we wish to restrict Authorization
Here if Analytics Authorization option is not present in HANA studio to generate Analytic Privileges, please install from the link http://ld9408.wdf.sap.corp:8000/sap/hba/tools/auth
6. Once the AP is generated a corresponding Role would be created and assigned to USERB and the respective Analytic Privilege for the query is assigned to the USERB.
Note: Please ensure the generated AP is present in the Role created.
7. Perform Data preview to the respective Query view from USERB and enter the required Input Parameters and check in raw data tab for the Expected Output.
8. Login with the same USERB to the Fiori Launchpad and open the Required Analytical App and check for the Expected output i.e. the same data viewed at step 7.
Both Positive and Negative checks can be performed by Updating the Analytic Privileges.
I would like to conclude my blog with the note that Authorization testing is one of the most crucial parts of functional testing. Most of the critical issues can be identified here and we can ensure the data protection at any level is not lost/hampered.