on 01-16-2017 5:42 AM
Hello Everyone,
I am working on building authorization profiles for UI5 Application.
For. ex User ID= John & Kevin are already having access to SAP ECC with business authorizations.
John= Division head & Kevin= Team Lead.
John should able to approve the work order and Kevin should only create (not approve).
Our developer has developed common UI5 screen and would like to control UI5 screen using authorization profiles.
I have gone through all documentation & have general idea how UI5 roles can be build (like create a service-specific or app-specific role with authorization object S_SERVICE).
Our UI5 & Gateway is on same NW ABAP system (embedded approach).
My question is that, UI5 screen buttons like Approve, assign etc, is it controlled by authorizations (using OData services) ?
Appreciate your quick inputs.
Thank you for your help. The authorizations controlled by custom object and s_service object.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you Jun, I am Basis/security consultant.
I am aware of restricting access to tiles/group in SAP FIORI (https://blogs.sap.com/2015/04/27/restrict-fiori-application-access-through-roles/)
I have also build roles (from SAP_UI2_USER_700) and added oData services developed by developers. Now Team lead see all UI5 screens.
I want to restrict particular button controls on UI5 screen (approve button should be grayed out for team lead).
Can you explain, "expose the authorization check code as odata service" is this in /IWFND/MAINT_SERVICE? I see one option to activate
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
that is not your scope, the developer has to do it.
do you know how authorization works in abap?
for ui5, you just have to expose the authorization check code as odata service. that's it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Viplove for swift response.
Could you please elaborate more from development perspective? then for "each action on buttons", developer has to develop separate OData service & those corrosponding services has to be included in Authorization profiles (S_SERVICE)? Is my understnading correct?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Imran ,
First you need to have one service which will get you the role (lead , head , etc) and on the basis of that you need to hide the buttons on the UI. Than on each button click you can implement different services to do operations.
Or even you can use the same button just change the text of the button according to the role.Than on the button click you can send the parameter to the service that which role is active and accordingly handle the logic on the backend.
But its better to go by first one because development wise much easier and neat to handle. Second one might increase the complexity
thanks
Viplove
Hi Imran ,
Yeah you can control those buttons using the roles assigned to the user logged in .. and also you can call the services (actions on the buttons) on the basis of roles of the user for an extra security.
thanks
Viplove
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.