cancel
Showing results for 
Search instead for 
Did you mean: 

Instance authorization in Hybris Marketing

0 Kudos

Hi,

in application help for yMkt in chapter 5.2 is explained, how to configure a custom driven authorization on any non standard relevant field.

If we do so, there is no effect on new provided authority object / configuration in PFCG in regard to have a authority check on field level in contact app.

In BOB implementation for INTERACTION_CONTACT (building sql statement) I saw there is a part for authorization but this implementation refers to authority object configured on BO.

So I am wondering if the application help (version 1702) is not up to date or what is the correct way to enable a authorization check on field level beside the standard provided fields?

BR,

Frank

Accepted Solutions (0)

Answers (2)

Answers (2)

0 Kudos

We have raised the OSS 105080 / 2018.

former_member207603
Contributor
0 Kudos

Hi Frank,

can you pls. provide some more details on what you're trying to achieve?

Regards,

Matthias

0 Kudos

Hi Matthias,

sure, I'll provide some more information on requirement level and what we want to achieve.

We have extracted CRM Data into yMkt datamodel. Next to the standard attributes in extraction HANA calculation views we have added some customer specific ones.

One of the customer attribute has information regarding authorization in CRM. If this attribute has not a specific value, the customer consultant (own business role in yMkt) should have no access to this data set.

So according to above description from application help, we thought it's sufficient to put this attribute into the OUTPUT list of HANA View and do the customizing in yMkt. As well to add the authorization object to the used role and to configure the values.

This didn't have any influence on search query from Contact-App. Within the ODATA Service CUAN_COMMON_SRV, where the search query is handled for INTERACTION_CONTACT and passed to query implementation on BOPF, we could see, that in the part where the SQL-Statement is build for HANA View, there is an implementation for handling authorization (e.g. CL_HPA_READ_ACCESS_COMMON~ADD_AUTH_ATTRS_TO_WHERE_CLAUSE).

This implementation is checking the authorization objects configured in BO INTERACTION_CONTACT itself (Transaction BOX) but it seems there is not consideration of described application help customizing.

Therefore I asked the question if either the application help is not up to date or where in yMkt this configuration/customing is applicable? Furthermore is the way to extend the BO with an own authorization object to have a check on field-level the best way?

We want to achieve, the only particular (role / auth.object configuration) employees/customer consultant have access to all or particular data sets of INTERACTION_CONTACTS.

BR,

Frank

former_member207603
Contributor
0 Kudos

Hi Frank,

sorry one more question -

"HANA View and do the customizing in yMkt"

Which customizing in yMKT are you referring?

Thanks,

Matthias

0 Kudos

Hi Matthias,

I am referring to the customizing mentioned in Application Help of 1702 in chapter 5.2 for instance authorization.

1. Provide the authorization-relevant field in an appropriate SAP HANA information model by joining the respective data table. Make sure that the field is part of the model's output structure.

2. Create an authorization object for each additional authorization-relevant field. You can use Maintain Authorization Objects (transaction SU21) to define authorization objects.

3. Indicate the additional authorization object(s) in Customizing for SAP Hybris Marketing (formerly SAP Customer Engagement Intelligence) under General Settings --> Authorization --> Assign Authorization Objects

I guess the other customizing view for InfoProviders is only necessary in case of Business Warehouse?

If I use the where-used functionality for table CRA_APP_AUTHOBJ I found only this data provider class as user (CL_CUAN_S360_DPC) which is not used for CUAN_COMMON_SRV odata service where BO Interaction_Contact is embedded.