cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP UI5 Security- Front application screen controls

former_member256680
Participant

on ‎01-16-2017 5:42 AM

0 Kudos

Hello Everyone,

I am working on building authorization profiles for UI5 Application.

For. ex User ID= John & Kevin are already having access to SAP ECC with business authorizations.

John= Division head & Kevin= Team Lead.

John should able to approve the work order and Kevin should only create (not approve).

Our developer has developed common UI5 screen and would like to control UI5 screen using authorization profiles.

I have gone through all documentation & have general idea how UI5 roles can be build (like create a service-specific or app-specific role with authorization object S_SERVICE).

Our UI5 & Gateway is on same NW ABAP system (embedded approach).

My question is that, UI5 screen buttons like Approve, assign etc, is it controlled by authorizations (using OData services) ?

Appreciate your quick inputs.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

former_member256680
Participant
‎02-05-2017 6:35 AM
0 Kudos

Thank you for your help. The authorizations controlled by custom object and s_service object.

Show replies
Show replies
former_member256680
Participant
‎01-18-2017 6:10 AM
0 Kudos

Thank you Jun, I am Basis/security consultant.

I am aware of restricting access to tiles/group in SAP FIORI (https://blogs.sap.com/2015/04/27/restrict-fiori-application-access-through-roles/)

I have also build roles (from SAP_UI2_USER_700) and added oData services developed by developers. Now Team lead see all UI5 screens.

I want to restrict particular button controls on UI5 screen (approve button should be grayed out for team lead).

Can you explain, "expose the authorization check code as odata service" is this in /IWFND/MAINT_SERVICE? I see one option to activate

OAuth scope exists for the current service ( do we need to check this box?)

Show replies
Show replies
junwu
Active Contributor
‎01-18-2017 1:33 PM

that is not your scope, the developer has to do it.

junwu
Active Contributor
‎01-17-2017 9:28 PM
0 Kudos

do you know how authorization works in abap?
for ui5, you just have to expose the authorization check code as odata service. that's it.

Show replies
Show replies
former_member256680
Participant
‎01-17-2017 5:36 AM
0 Kudos

Thanks Viplove for swift response.

Could you please elaborate more from development perspective? then for "each action on buttons", developer has to develop separate OData service & those corrosponding services has to be included in Authorization profiles (S_SERVICE)? Is my understnading correct?

Show replies
Show replies
former_member340030
Contributor
‎01-17-2017 11:57 AM
0 Kudos

Hi Imran ,

First you need to have one service which will get you the role (lead , head , etc) and on the basis of that you need to hide the buttons on the UI. Than on each button click you can implement different services to do operations.

Or even you can use the same button just change the text of the button according to the role.Than on the button click you can send the parameter to the service that which role is active and accordingly handle the logic on the backend.

But its better to go by first one because development wise much easier and neat to handle. Second one might increase the complexity

thanks

Viplove

former_member340030
Contributor
‎01-16-2017 9:55 AM
0 Kudos

Hi Imran ,

Yeah you can control those buttons using the roles assigned to the user logged in .. and also you can call the services (actions on the buttons) on the basis of roles of the user for an extra security.

thanks

Viplove

Show replies
Show replies
Ask a Question