Authorization dans RAP garantit que les utilisateurs ne peuvent acceder aux donnees et executer des operations que s’ils y sont autorises. Cet article presente les differents concepts d’autorisation et leur implementation.
Concepts d’autorisation en apercu
| Aspect | Instance Authorization | Global Authorization |
|---|---|---|
| Portee | Instances individuelles | Entite entiere |
| Verification | Par enregistrement | Une fois par operation |
| Cas d’utilisation | ”L’utilisateur peut-il modifier ce voyage ?" | "L’utilisateur peut-il creer des voyages ?” |
| Performance | Plus couteux (par instance) | Plus efficace (une seule fois) |
Instance Authorization
L’Instance Authorization verifie les autorisations au niveau des enregistrements individuels. C’est important quand differentes instances ont des exigences d’autorisation differentes.
Behavior Definition
managed implementation in class zbp_i_travel unique;strict ( 2 );
define behavior for ZI_Travel alias Travelpersistent table ztravellock masterauthorization master ( instance ){ create; update; delete;
action cancel result [1] $self; action accept result [1] $self;
mapping for ztravel { TravelUUID = travel_uuid; TravelID = travel_id; AgencyID = agency_id; CustomerID = customer_id; Status = overall_status; }}Implementation de l’Instance Authorization
CLASS lhc_travel DEFINITION INHERITING FROM cl_abap_behavior_handler. PRIVATE SECTION. METHODS get_instance_authorizations FOR INSTANCE AUTHORIZATION IMPORTING keys REQUEST requested_authorizations FOR Travel RESULT result.ENDCLASS.
CLASS lhc_travel IMPLEMENTATION. METHOD get_instance_authorizations. " Lire les donnees d'instance READ ENTITIES OF zi_travel IN LOCAL MODE ENTITY Travel FIELDS ( AgencyID Status ) WITH CORRESPONDING #( keys ) RESULT DATA(travels).
LOOP AT travels ASSIGNING FIELD-SYMBOL(<travel>). " Verifier l'objet d'autorisation DATA(is_authorized_update) = abap_false. DATA(is_authorized_delete) = abap_false. DATA(is_authorized_cancel) = abap_false.
" Verifier l'autorisation de mise a jour IF requested_authorizations-%update = if_abap_behv=>mk-on OR requested_authorizations-%action-cancel = if_abap_behv=>mk-on.
AUTHORITY-CHECK OBJECT 'ZTRAVEL" ID 'ZAGENCY' FIELD <travel>-AgencyID ID 'ACTVT' FIELD '02'. " Modifier
IF sy-subrc = 0. is_authorized_update = abap_true. is_authorized_cancel = abap_true. ENDIF. ENDIF.
" Verifier l'autorisation de suppression IF requested_authorizations-%delete = if_abap_behv=>mk-on. AUTHORITY-CHECK OBJECT 'ZTRAVEL" ID 'ZAGENCY' FIELD <travel>-AgencyID ID 'ACTVT' FIELD '06'. " Supprimer
IF sy-subrc = 0. is_authorized_delete = abap_true. ENDIF. ENDIF.
" Verification supplementaire du statut pour l'action Cancel IF is_authorized_cancel = abap_true AND <travel>-Status <> 'O'. " Uniquement les voyages ouverts is_authorized_cancel = abap_false. ENDIF.
" Definir le resultat APPEND VALUE #( %tky = <travel>-%tky %update = COND #( WHEN is_authorized_update = abap_true THEN if_abap_behv=>auth-allowed ELSE if_abap_behv=>auth-unauthorized ) %delete = COND #( WHEN is_authorized_delete = abap_true THEN if_abap_behv=>auth-allowed ELSE if_abap_behv=>auth-unauthorized ) %action-cancel = COND #( WHEN is_authorized_cancel = abap_true THEN if_abap_behv=>auth-allowed ELSE if_abap_behv=>auth-unauthorized ) ) TO result. ENDLOOP. ENDMETHOD.ENDCLASS.Valeurs de retour de l’Authorization
| Valeur | Signification |
|---|---|
if_abap_behv=>auth-allowed | Operation autorisee |
if_abap_behv=>auth-unauthorized | Non autorise |
Global Authorization
L’Global Authorization verifie les autorisations au niveau de l’entite, independamment des instances concretes. Ideale pour les operations CREATE ou quand toutes les instances sont traitees de la meme maniere.
Behavior Definition
define behavior for ZI_Travel alias Travelpersistent table ztravellock masterauthorization master ( global ){ create; update; delete;
static action massUpdate;}Implementation de l’Global Authorization
CLASS lhc_travel DEFINITION INHERITING FROM cl_abap_behavior_handler. PRIVATE SECTION. METHODS get_global_authorizations FOR GLOBAL AUTHORIZATION IMPORTING REQUEST requested_authorizations FOR Travel RESULT result.ENDCLASS.
CLASS lhc_travel IMPLEMENTATION. METHOD get_global_authorizations. " Verifier l'autorisation CREATE IF requested_authorizations-%create = if_abap_behv=>mk-on. AUTHORITY-CHECK OBJECT 'ZTRAVEL" ID 'ZAGENCY' DUMMY ID 'ACTVT' FIELD '01'. " Creer
DATA(is_create_authorized) = COND #( WHEN sy-subrc = 0 THEN if_abap_behv=>auth-allowed ELSE if_abap_behv=>auth-unauthorized ). ENDIF.
" Verifier l'autorisation pour Static Action IF requested_authorizations-%action-massUpdate = if_abap_behv=>mk-on. AUTHORITY-CHECK OBJECT 'ZTRAVEL" ID 'ZAGENCY' DUMMY ID 'ACTVT' FIELD '02'.
DATA(is_mass_update_authorized) = COND #( WHEN sy-subrc = 0 THEN if_abap_behv=>auth-allowed ELSE if_abap_behv=>auth-unauthorized ). ENDIF.
result = VALUE #( %create = is_create_authorized %action-massUpdate = is_mass_update_authorized ). ENDMETHOD.ENDCLASS.Authorization combinee (Instance + Global)
En pratique, on a souvent besoin des deux types d’Authorization :
Behavior Definition
define behavior for ZI_Travel alias Travelpersistent table ztravellock masterauthorization master ( instance, global ){ create; update; delete;
action cancel result [1] $self; static action releaseAll;}Implementation
CLASS lhc_travel DEFINITION INHERITING FROM cl_abap_behavior_handler. PRIVATE SECTION. " Instance Authorization pour UPDATE, DELETE, Actions METHODS get_instance_authorizations FOR INSTANCE AUTHORIZATION IMPORTING keys REQUEST requested_authorizations FOR Travel RESULT result.
" Global Authorization pour CREATE et Static Actions METHODS get_global_authorizations FOR GLOBAL AUTHORIZATION IMPORTING REQUEST requested_authorizations FOR Travel RESULT result.ENDCLASS.
CLASS lhc_travel IMPLEMENTATION. METHOD get_instance_authorizations. READ ENTITIES OF zi_travel IN LOCAL MODE ENTITY Travel FIELDS ( AgencyID ) WITH CORRESPONDING #( keys ) RESULT DATA(travels).
LOOP AT travels ASSIGNING FIELD-SYMBOL(<travel>). " Autorisation basee sur l'agence AUTHORITY-CHECK OBJECT 'ZTRAVEL" ID 'ZAGENCY' FIELD <travel>-AgencyID ID 'ACTVT' FIELD '02'.
DATA(has_change_auth) = COND #( WHEN sy-subrc = 0 THEN abap_true ).
AUTHORITY-CHECK OBJECT 'ZTRAVEL" ID 'ZAGENCY' FIELD <travel>-AgencyID ID 'ACTVT' FIELD '06'.
DATA(has_delete_auth) = COND #( WHEN sy-subrc = 0 THEN abap_true ).
APPEND VALUE #( %tky = <travel>-%tky %update = COND #( WHEN has_change_auth = abap_true THEN if_abap_behv=>auth-allowed ELSE if_abap_behv=>auth-unauthorized ) %delete = COND #( WHEN has_delete_auth = abap_true THEN if_abap_behv=>auth-allowed ELSE if_abap_behv=>auth-unauthorized ) %action-cancel = COND #( WHEN has_change_auth = abap_true THEN if_abap_behv=>auth-allowed ELSE if_abap_behv=>auth-unauthorized ) ) TO result. ENDLOOP. ENDMETHOD.
METHOD get_global_authorizations. " Autorisation CREATE AUTHORITY-CHECK OBJECT 'ZTRAVEL" ID 'ZAGENCY' DUMMY ID 'ACTVT' FIELD '01'.
DATA(create_auth) = COND #( WHEN sy-subrc = 0 THEN if_abap_behv=>auth-allowed ELSE if_abap_behv=>auth-unauthorized ).
" Autorisation Static Action AUTHORITY-CHECK OBJECT 'ZTRAVEL" ID 'ZAGENCY' DUMMY ID 'ACTVT' FIELD '02'.
DATA(release_auth) = COND #( WHEN sy-subrc = 0 THEN if_abap_behv=>auth-allowed ELSE if_abap_behv=>auth-unauthorized ).
result = VALUE #( %create = create_auth %action-releaseAll = release_auth ). ENDMETHOD.ENDCLASS.Authorization Master et Dependent
Pour les compositions avec des relations Parent-Child, l’autorisation peut etre deleguee depuis le Parent.
Behavior Definition
define behavior for ZI_Travel alias Travelpersistent table ztravellock masterauthorization master ( instance ){ create; update; delete;
association _Booking { create; }}
define behavior for ZI_Booking alias Bookingpersistent table zbookinglock dependent by _Travelauthorization dependent by _Travel{ update; delete;
field ( readonly ) TravelUUID;
association _Travel;}Explication
- authorization master : Cette entite effectue la verification d’autorisation
- authorization dependent by _Travel : Booking herite de l’autorisation de Travel
- Pour les operations sur Booking, l’Authorization de Travel est automatiquement verifiee
Avantage
Pas d’implementation d’Authorization separee necessaire pour Booking. L’autorisation du Parent s’applique automatiquement a toutes les entites dependantes.
Precheck pour la verification precoce des autorisations
Avec Precheck, les autorisations peuvent etre verifiees avant que l’operation reelle ne soit executee. C’est plus efficace car les requetes erronees sont rejetees tot.
Behavior Definition
define behavior for ZI_Travel alias Travelpersistent table ztravellock masterauthorization master ( instance ){ create ( precheck ); update ( precheck ); delete ( precheck );
action ( precheck ) cancel result [1] $self;}Implementation avec Precheck
CLASS lhc_travel DEFINITION INHERITING FROM cl_abap_behavior_handler. PRIVATE SECTION. METHODS precheck_create FOR PRECHECK IMPORTING entities FOR CREATE Travel.
METHODS precheck_update FOR PRECHECK IMPORTING entities FOR UPDATE Travel.
METHODS precheck_cancel FOR PRECHECK IMPORTING keys FOR ACTION Travel~cancel.ENDCLASS.
CLASS lhc_travel IMPLEMENTATION. METHOD precheck_create. LOOP AT entities ASSIGNING FIELD-SYMBOL(<entity>). " Verifier l'autorisation pour la nouvelle agence AUTHORITY-CHECK OBJECT 'ZTRAVEL" ID 'ZAGENCY' FIELD <entity>-AgencyID ID 'ACTVT' FIELD '01'.
IF sy-subrc <> 0. APPEND VALUE #( %cid = <entity>-%cid %msg = new_message_with_text( severity = if_abap_behv_message=>severity-error text = |Pas d'autorisation pour l'agence { <entity>-AgencyID }| ) ) TO reported-travel.
APPEND VALUE #( %cid = <entity>-%cid ) TO failed-travel. ENDIF. ENDLOOP. ENDMETHOD.
METHOD precheck_update. " Lire les donnees actuelles READ ENTITIES OF zi_travel IN LOCAL MODE ENTITY Travel FIELDS ( AgencyID Status ) WITH CORRESPONDING #( entities ) RESULT DATA(travels).
LOOP AT entities ASSIGNING FIELD-SYMBOL(<entity>). READ TABLE travels INTO DATA(travel) WITH KEY TravelUUID = <entity>-TravelUUID.
" Les voyages verrouilles ne peuvent pas etre modifies IF travel-Status = 'L'. " Locked APPEND VALUE #( %tky = <entity>-%tky %msg = new_message_with_text( severity = if_abap_behv_message=>severity-error text = 'Les voyages verrouilles ne peuvent pas etre modifies" ) ) TO reported-travel.
APPEND VALUE #( %tky = <entity>-%tky ) TO failed-travel. ENDIF. ENDLOOP. ENDMETHOD.
METHOD precheck_cancel. READ ENTITIES OF zi_travel IN LOCAL MODE ENTITY Travel FIELDS ( Status ) WITH CORRESPONDING #( keys ) RESULT DATA(travels).
LOOP AT travels ASSIGNING FIELD-SYMBOL(<travel>). " Seuls les voyages ouverts peuvent etre annules IF <travel>-Status <> 'O'. APPEND VALUE #( %tky = <travel>-%tky %msg = new_message_with_text( severity = if_abap_behv_message=>severity-error text = 'Seuls les voyages ouverts peuvent etre annules" ) ) TO reported-travel.
APPEND VALUE #( %tky = <travel>-%tky ) TO failed-travel. ENDIF. ENDLOOP. ENDMETHOD.ENDCLASS.Interaction avec Feature Control
Authorization et Feature Control se completent :
| Aspect | Authorization | Feature Control |
|---|---|---|
| But | Verifier l’autorisation | Piloter les elements UI |
| Resultat | Allowed/Unauthorized | Enabled/Disabled |
| Timing | A l’execution | Au chargement de l’UI |
Bonne pratique : Verification coherente
CLASS lhc_travel DEFINITION INHERITING FROM cl_abap_behavior_handler. PRIVATE SECTION. " Feature Control METHODS get_instance_features FOR INSTANCE FEATURES IMPORTING keys REQUEST requested_features FOR Travel RESULT result.
" Authorization METHODS get_instance_authorizations FOR INSTANCE AUTHORIZATION IMPORTING keys REQUEST requested_authorizations FOR Travel RESULT result.
" Methode d'aide commune METHODS check_cancel_allowed IMPORTING travel TYPE zi_travel RETURNING VALUE(result) TYPE abap_boolean.ENDCLASS.
CLASS lhc_travel IMPLEMENTATION. METHOD check_cancel_allowed. " Logique centrale pour Feature Control ET Authorization result = abap_false.
" Uniquement les voyages ouverts IF travel-Status <> 'O'. RETURN. ENDIF.
" Verification d'autorisation AUTHORITY-CHECK OBJECT 'ZTRAVEL" ID 'ZAGENCY' FIELD travel-AgencyID ID 'ACTVT' FIELD '02'.
IF sy-subrc = 0. result = abap_true. ENDIF. ENDMETHOD.
METHOD get_instance_features. READ ENTITIES OF zi_travel IN LOCAL MODE ENTITY Travel ALL FIELDS WITH CORRESPONDING #( keys ) RESULT DATA(travels).
LOOP AT travels ASSIGNING FIELD-SYMBOL(<travel>). DATA(can_cancel) = check_cancel_allowed( <travel> ).
APPEND VALUE #( %tky = <travel>-%tky %action-cancel = COND #( WHEN can_cancel = abap_true THEN if_abap_behv=>fc-o-enabled ELSE if_abap_behv=>fc-o-disabled ) ) TO result. ENDLOOP. ENDMETHOD.
METHOD get_instance_authorizations. READ ENTITIES OF zi_travel IN LOCAL MODE ENTITY Travel ALL FIELDS WITH CORRESPONDING #( keys ) RESULT DATA(travels).
LOOP AT travels ASSIGNING FIELD-SYMBOL(<travel>). DATA(can_cancel) = check_cancel_allowed( <travel> ).
APPEND VALUE #( %tky = <travel>-%tky %action-cancel = COND #( WHEN can_cancel = abap_true THEN if_abap_behv=>auth-allowed ELSE if_abap_behv=>auth-unauthorized ) ) TO result. ENDLOOP. ENDMETHOD.ENDCLASS.Objets d’autorisation dans ABAP Cloud
Dans ABAP Cloud, les objets d’autorisation sont crees avec ADT :
- Package pour Authorization creer
- Authorization Object creer (la transaction SU21 n’existe pas)
- Authorization Fields definir
- Verifier dans le code avec
AUTHORITY-CHECK OBJECT
Exemple d’objet d’autorisation
Authorization Object: ZTRAVEL Fields: - ZAGENCY (Agency ID) - ZREGION (Region Code) - ACTVT (Activity: 01=Create, 02=Change, 03=Display, 06=Delete)Bonnes pratiques
-
Global pour CREATE : Les operations CREATE toujours avec Global Authorization, car aucune instance n’existe encore.
-
Instance pour UPDATE/DELETE : Quand les autorisations dependent des donnees d’instance (ex. agence, region).
-
Dependent pour les compositions : Les entites enfants heritent de l’autorisation du parent.
-
Synchroniser Feature Control : Les boutons desactives devraient aussi etre unauthorized.
-
Utiliser Precheck : Pour une validation precoce et de meilleurs messages d’erreur.
-
Extraire les methodes d’aide : Externaliser la logique de verification commune dans des methodes reutilisables.
-
DUMMY pour les verifications generiques :
ID 'ZAGENCY' DUMMYquand la valeur concrete n’importe pas.
Sujets connexes
- RAP Feature Control - Pilotage dynamique de l’UI
- RAP Side Effects - Mise a jour automatique de l’UI
- RAP Actions et Functions - Implementer la logique metier