Skip to Content

SAP UI5 Security- Front application screen controls

Hello Everyone,

I am working on building authorization profiles for UI5 Application.

For. ex User ID= John & Kevin are already having access to SAP ECC with business authorizations.

John= Division head & Kevin= Team Lead.

John should able to approve the work order and Kevin should only create (not approve).

Our developer has developed common UI5 screen and would like to control UI5 screen using authorization profiles.

I have gone through all documentation & have general idea how UI5 roles can be build (like create a service-specific or app-specific role with authorization object S_SERVICE).

Our UI5 & Gateway is on same NW ABAP system (embedded approach).

My question is that, UI5 screen buttons like Approve, assign etc, is it controlled by authorizations (using OData services) ?

Appreciate your quick inputs.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • Jan 16, 2017 at 09:55 AM

    Hi Imran ,

    Yeah you can control those buttons using the roles assigned to the user logged in .. and also you can call the services (actions on the buttons) on the basis of roles of the user for an extra security.

    thanks

    Viplove

    Add comment
    10|10000 characters needed characters exceeded

  • Jan 17, 2017 at 05:36 AM

    Thanks Viplove for swift response.

    Could you please elaborate more from development perspective? then for "each action on buttons", developer has to develop separate OData service & those corrosponding services has to be included in Authorization profiles (S_SERVICE)? Is my understnading correct?

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Imran ,

      First you need to have one service which will get you the role (lead , head , etc) and on the basis of that you need to hide the buttons on the UI. Than on each button click you can implement different services to do operations.

      Or even you can use the same button just change the text of the button according to the role.Than on the button click you can send the parameter to the service that which role is active and accordingly handle the logic on the backend.

      But its better to go by first one because development wise much easier and neat to handle. Second one might increase the complexity

      thanks

      Viplove

  • Jan 17, 2017 at 09:28 PM

    do you know how authorization works in abap?
    for ui5, you just have to expose the authorization check code as odata service. that's it.

    Add comment
    10|10000 characters needed characters exceeded

  • Jan 18, 2017 at 06:10 AM

    Thank you Jun, I am Basis/security consultant.

    I am aware of restricting access to tiles/group in SAP FIORI (https://blogs.sap.com/2015/04/27/restrict-fiori-application-access-through-roles/)

    I have also build roles (from SAP_UI2_USER_700) and added oData services developed by developers. Now Team lead see all UI5 screens.

    I want to restrict particular button controls on UI5 screen (approve button should be grayed out for team lead).

    Can you explain, "expose the authorization check code as odata service" is this in /IWFND/MAINT_SERVICE? I see one option to activate

    OAuth scope exists for the current service ( do we need to check this box?)

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 05, 2017 at 06:35 AM

    Thank you for your help. The authorizations controlled by custom object and s_service object.

    Add comment
    10|10000 characters needed characters exceeded