`
JerryWang_SAP
  • 浏览: 1032442 次
  • 性别: Icon_minigender_1
  • 来自: 成都
文章分类
社区版块
存档分类
最新评论

SAP CRM订单系统设计时关于用户权限(User Authorization)的一些考虑

阅读更多

In S4, there is a Tcode to trace authorization check - stauthtrace

(1) 0 Authorization successful or no check was carried out. An authorization for the authorization object was found in the user master record. Its value sets include the specified values.

(2) 4 Authorization check not successful. One or more authorizations were found for the authorization object in the user master record and they include the value sets, but not the values specified, or incorrect authorization fields or too many fields were specified.

(3) 12 No authorization was found for the authorization object in the user master record.

AGR_USERS: This table stores for a given user, what PFCG roles are assigned to it.

Z_FULL_AUTHORIZATION created by Wade in X3C/504, but AO is not created by him.

# Learning

(1) Fast Authorization check

(2) Existing Authorization check is made by executing the Function module CRM_ORDER_ CHECK_AUTHORITY_GEN for each GUID.

(3) a user can be assigned to several organization units in the organizational model).

(4) Fast access: New RF class which selects GUIDs with a fast single access (can be used only by the most common queries)

(5) Classic RF: the GUIDs selection is made with multiple accesses (can be used by all queries)

(6) Each line of the question object corresponding to a field checked by the author-ization process is converted into a range table.

(7) The application Question is modified with the authorized values in classes CL_CRM_ REPORT_ACCRULE_ONEORDER and CL_CRM_REPORT_ACCRULE_ONEORD_I method MAKE_INSTANCE_VALID.

The union of the GUID selected is processed in class CL_CRM_REPORT_QUESTION -> REFRESH:

(1) Creation of a new query where there is operator Union in the question.

(2) For each query,call method gr_accessrule->SELECT to select the GUID

(3) Append the GUID selected to the total list without duplication.

2017-06-13

CDS view only supports read access so the corresponding DCL concept only applies for Advanced search, since CDS view is only used in advanced search currently.

What authorization objects are currently used in advanced search?

An Authorization trace is performed on AG3/001 using tcode: stauthtrace

Start: enter business role SERVICEPRO, End: click Search button and see result in WebUI

None of them belong to Carsten's list?

2017-06-14 Authorization check in One order reporting framework

There are several ACE check:

CRM_ACE_RIG_RT

CRM_ACE_WP_RT

CRM_ACE_OTYPES

CRM_ACE_CUSTOM

CRM_ACE_ACTS

2017-06-15

How CDS DCL works

See one example:

We have three approaches to control authorization for search.

test table in X3C/504:

Solution1 - fetch from DB, then perform authorization check in ABAP ( bad !)

DATA: lt_result TYPE TABLE OF zorder.
SELECT * INTO TABLE @DATA(lt_table) FROM zorder.
LOOP AT lt_table ASSIGNING FIELD-SYMBOL(<order>).
  AUTHORITY-CHECK OBJECT 'ZJER_TYPE' ID 'PR_TYPE' FIELD <order>-order_type.
  IF sy-subrc = 0.
    APPEND <order> TO lt_result.
  ENDIF.
ENDLOOP.

result:

Solution 2 - this is exactly current report framework "fast authorization" concept

REPORT zsolution1.

DEFINE authority_check_fail.
  IF sy-subrc <> 0.
    WRITE:/ 'No authorization'.
    RETURN.
  ENDIF.
END-OF-DEFINITION.

PARAMETERS: user TYPE sy-uname OBLIGATORY DEFAULT sy-uname.
DATA: lt_result TYPE TABLE OF zorder.

DATA: lt_val TYPE  TABLE OF usvalues.
CALL FUNCTION 'SUSR_USER_AUTH_FOR_OBJ_GET'
  EXPORTING
    user_name           = user
    sel_object          = 'ZJER_TYPE'
  TABLES
    values              = lt_val
  EXCEPTIONS
    user_name_not_exist = 1
    not_authorized      = 2
    internal_error      = 3
    OTHERS              = 4.

READ TABLE lt_val ASSIGNING FIELD-SYMBOL(<val>) WITH KEY field = 'ACTVT'.
authority_check_fail.
IF <val>-von <> '03' AND <val>-von <> '*'.
  WRITE:/ 'No authorization'.
  RETURN.
ENDIF.

READ TABLE lt_val ASSIGNING FIELD-SYMBOL(<type>) WITH KEY field = 'PR_TYPE'.
authority_check_fail.
DATA(lv_where) = COND STRING( WHEN <type>-von = '*' THEN space ELSE
| ORDER_TYPE = '{ <type>-von }'| ).
WRITE:/ lv_where.
SELECT * INTO TABLE lt_result FROM zorder WHERE (lv_where).
BREAK-POINT.

Solution 3 - Using CDS DCL

@EndUserText.label: 'Order DCL POC' 
@MappingRole: true 
define role Zjerry_Order_Dcl { 
  grant select on zjerry_order
          where ( order_type) = 
          aspect pfcg_auth( ZJER_TYPE, pr_type, ACTVT = '03' )
              or ( order_type) = aspect pfcg_auth(  ZJER_TYPE, pr_type, ACTVT = '*' );
}

 

The code is very clean now:

SELECT * INTO TABLE @DATA(lt_data) FROM zjerry_order.

And also works as expected:

From the CDS standard training, it is IMPOSSIBLE from ABAP layer to know, whether there is indeed only 1 entry with type SRVO, or there might be more entries, but filtered out by missing authorization.

When Open SQL is used to access a CDS entity and an access rule is defined in a role for this entity, the access conditions are evaluated implicitly and their selection restricted so that in SELECT reads, the access condition is added to the selection condition of the statement passed from the database interface to the database using a logical "and".

This is ST05 trace:

However there are some trouble here!?

However this is not true :(

And then check the corresponding field in PFCG role from 03 to *:

result is still the same:

Best practice??

Just follow S4 DCL design. Check their package VDM_SD_ANALYTICS.

Two fields in one authorization object is like intersection.

Switch off: @AccessControl.authorizationCheck: #NOT_ALLOWED

If a CDS entity is specified in several access rules of a CDS role or in multiple CDS roles, the resulting access conditions are joined using a logical "or".

2017-06-17

Refer to S4:

Before I create DCL object:

After I create DCL object:

Jerry question: there are also lots of other Authorization object evaluated in the current search:

0
0
分享到:
评论

相关推荐

    SAP权限设置

    3. 例外权限(Exception Authorization):是公司创造的名词,当一个用户除了其职位一般所需的权限外,还需要一些特殊的权限时,我们把这些权限称之为这个用户的例外权限。 4. 角色命名和分类:根据命名规则和分类...

    SAP权限相关设置(详细介绍SAP权限相关概念及相关操作)

    - **异常权限**: 当某个用户除了其职能权限之外还需要额外的权限时,可以通过异常权限的方式添加这些额外的权限。 - **直接为用户账户添加权限**: 对于一些特殊的场景,可以直接为用户账户添加特定的权限。 #### 五...

    SAP 用户权限学习从入门到精通

    SAP中的权限一共分为四层结构,包括用户(User)、角色(Role)、权限对象(Authorization Object)和权限字段(Authorization Field)。 首先,用户是权限管理的最基本单位,即系统中使用权限的个体。每个用户都...

    sap authorization system

    - SAP R/3标准用户:系统预设了一些标准用户,用于特定的功能或任务。 - 相关SAP表:系统中有多个表用于存储用户主记录信息。 3. **SAP R/3授权概念**: - Profile Generator:一种自动化工具,用于生成用户的...

    SAP BW权限文档

    SAP BW权限文档是SAP NetWeaver Business Intelligence(NW BI)中的一个重要组件,负责管理和控制用户对Business Intelligence系统的访问权限。本文档将详细介绍SAP BW权限文档的概念、模型、实现方法和技术细节。 ...

    sap 权限的设定

    SAP权限设定是企业管理和维护SAP系统中至关重要的一环,它确保了用户只能访问和操作他们被授权的任务和数据,从而保障了数据安全和业务流程的正常运行。权限设定的过程既复杂又耗时,因此在进行设置时必须谨慎,并且...

    SAP权限的设定培训资料

    SAP权限设定是企业信息化管理中的关键环节,用于控制用户在SAP系统中的操作权限,确保数据安全和业务流程的规范。以下是对SAP权限设定的详细解释: 1. **总述** - 权限设定是至关重要的,因为错误或过度的权限可能...

    SAP进阶:再论SAP权限

    在SAP系统中,权限管理是一项至关重要的任务,它确保了不同用户只能访问和操作他们被授权的数据和功能。本文将深入探讨SAP权限的各个方面,帮助读者理解其核心概念和工作原理。 首先,权限的基本理念是“允许”和...

    sap权限对象的创建和使用

    在SAP系统中,权限管理是企业数据安全的重要组成部分,其中权限对象扮演着核心角色。权限对象是SAP授权机制的基础,它们定义了用户可以执行的操作类型,如查看、更改或者删除数据。本文将深入探讨如何创建和使用权限...

    sap+权限的设定 basis

    2. **授权对象(Authorization Objects)**:授权对象是 SAP 中定义权限的基本单位,它们代表了系统中的关键资源,如物料、客户、供应商、订单等。每个授权对象都有若干字段,这些字段的组合定义了特定的访问权限。 ...

    sap 权限的设定.pptx

    5. Authorization:授权,指的是用户对 SAP 系统的访问和操作权限。 SAP 权限架构的基本概念: 1. 权限设定非常重要,需要谨慎和记录每次更改。 2. 权限设定除非特殊情况,不允许在正式环境直接更改。 3. MIS 不是...

    权限系统设计

    以下是关于权限系统设计的一些核心知识点: 1. **角色(Role)**:角色是权限的集合,代表了一组具有相同权限的用户。例如,管理员角色可能包含所有系统操作权限,而普通用户角色则可能只包含查看和编辑自己数据的...

    SAP 權限的設定_CRM产品经理 需求规格说明书管理系统规格需求说明书模板.ppt

    SAP权限设置是企业管理和维护SAP系统中用户访问权限的重要环节,对于确保数据安全和业务流程的顺畅至关重要。本文将深入解析SAP权限的架构,以及CRM产品经理在需求规格说明书管理系统中的权限设定需求。 1. **总述*...

    SAP Authorization Concept

    - **检查**:当用户尝试执行某项操作时,系统会检查该用户的角色是否拥有相应的权限。 3. **审计与监控**:为了确保系统的安全性和合规性,SAP提供了强大的审计功能,可以记录所有与权限相关的操作,包括权限的分配...

    sap权限管理

    在SAP系统中,权限管理是一项至关重要的任务,它确保了数据的安全性和用户访问的合法性。SAP权限管理涉及到多个层面,包括角色、权限对象、授权配置以及用户账户的管理。下面将详细解释这些概念。 首先,我们来看...

    SAP 通用技能—权限的设定

    在SAP系统中,权限的设定是至关重要的,它确保了用户只能访问和操作他们被授权的任务和数据。权限管理涉及到多个层次,包括用户账号、角色、权限配置文件等,这些元素共同构成了SAP权限的框架。 首先,用户账号...

    sap权限概念

    - **概念:** 权限是指用户在SAP系统中执行具体操作的能力,包括但不限于读取数据、创建记录、修改信息等。 - **实现:** 权限通过为用户分配不同的角色来实现。每个角色都包含了执行某些事务所需的授权集合。 - **...

    sap系统完整的权限检查例程

    ### SAP系统完整的权限检查例程 #### 一、概述 SAP系统中权限管理是非常重要的组成部分,通过合理的权限分配可以确保系统的安全性与合规性。本文将详细介绍如何在SAP ABAP环境中实现一个简单的但完整的权限检查例程...

    SAP 用户权限控制设置及开发.doc

    SAP 用户权限控制设置及开发是 SAP 系统中的一项重要配置,旨在控制用户对系统的访问权限。通过设置权限控制,管理员可以控制用户对系统的访问权限,确保系统的安全性和数据的完整性。 权限控制的实现是通过角色...

Global site tag (gtag.js) - Google Analytics