Skip to Content
author's profile photo
Former Member

UME authorization on object level

Hi,

I understand the concept of roles / actions / permissions in the UME, but this only means you have a permission or you don't have a permission.

What if (and thats the common case in my mind) I need object level permissions, like I have a hierarchy of application objects and the user only should have access to a branch of the object tree?

Is the application developer supposed to implement this solely himself or does UME support such scenarios when it comes to "how do I setup those permissions?" and "where are those permissions stored?" or in other words: Do I have to create a configuration UI in the application and store the permission data in our own database tables with saving the user id?

Regards

Bruno

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

3 Answers

  • Best Answer
    author's profile photo
    Former Member
    Posted on Nov 17, 2004 at 12:53 PM

    Bruno,

    Take a look at com.sap.security.api.acl.* -- it contains necessary APIs backed with corresponding implementation for managing ACLs and verifying instance-based permissions.

    Sure, this is only basic ACL stuff, the following tasks should be carried out by developer:

    1. Invoking permissions checks in business methods.

    2. Applying security to search-like operations (finders, relation traversal) on business objects (i.e. search result does not contains objects for which user has no at least "read" permission)

    3. UI for maintaining own permissions hierarchy & manipulating ACL entries

    All this stuff (and much more) already implemented within CAF framework, search corresponding SDN section(s).

    Regards,

    VS

    P.S. I'm not sure exactly, but it seems that "roles/actions/permissions" model and ACL model completely disconnected. For example, permissions from first model has nothing to do with permissions defined in ACL manager. The only thing they have in common is that both work against the same UME principals. Seems, that both was designed by separate architects these have no way to contact each other << END_OF_RANT

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Thanks Valery,

      I already found this package before, it didn't make a whole lot of sense to me and there is no documentation except the javadoc, but I guess that's the route to go down to.

  • author's profile photo
    Former Member
    Posted on Nov 18, 2004 at 02:54 PM

    Hi Bruno

    To give object level permissions,

    0.Include the security API in your java build path.

    com.sap.security.api.jar

    1. you need to create a permission class which extends NamePermission for each object. Ex: Button B1. Have a permisson class for Button B1 in any of the package.

    2. Create the UI elements and set the visibility property to a context attribute so that you can set the property at run time.

    3. Get the user information in you view as follows

    IWDClientUser user = null;

    try{

    user = WDClientUser.getCurrentUser();

    }catch(WDUMException e){

    e.getLocalizedMessage();

    }

    4. Now check whether the user has a permisson as follows

    if (user.hasPermission(new ButtonB1("But1View")))

    {

    but1.setVisible(WDVisibility.VISIBLE);

    }

    5. Now create a XML file with permission as follows.

    <!-- $Id: //shared_tc/com.sapall.security/630_VAL_REL/src/_deploy/dist/configuration/shared/UMErole.xml#3 $ -->

    <BUSINESSSERVICE NAME="TEMP" >

    <DESCRIPTION LOCALE="en" VALUE="Access Management Engine"/>

    <!-- Business Service Actions -->

    <ACTION NAME="But1_Admin" >

    <DESCRIPTION LOCALE="en" VALUE="Button 1 Permission" />

    <PERMISSION CLASS="temp.authorization.perm.ButtonB1"

    NAME="But1View" VALUE="*" />

    </ACTION>

    </BUSINESSSERVICE>

    6. Deploy the XML File in the Visual administrator in services/Configuration Adapter/cluser-data/server/persistent/com.sap.security.core.ume.service

    7. Restart the J2EE engine

    8. Log on to UME Engine and try creating a role. There you can see the action you created in the XML file.

    Assing the action to the role and assign the role to the user

    9. Now only those users where the role you created is assined will be able to see the button.

    Regards

    NagaKishore

    Add comment
    10|10000 characters needed characters exceeded

  • author's profile photo
    Former Member
    Posted on Dec 11, 2004 at 01:58 PM

    Hi Bruno,

    I was just looking for the same topic - did you by now find out whether UME provides such a feature or not?

    Regards,

    Harald

    Add comment
    10|10000 characters needed characters exceeded