Enterprise Resource Planning Blogs by Members
Gain new perspectives and knowledge about enterprise resource planning in blog posts from community members. Share your own comments and ERP insights today!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to implement User Access Restriction on a SAP Custom Business Object

ijlal07
Explorer
‎10-17-2022 8:37 PM

Background Context


Business objects developed by SAP in Business ByDesign can have controlled access based on the associated Access Control List (ACL) node data. ACL is a dependent object (DO) that can be related to the business object to provide controlled access.

Scenario


We have a Custom Business Object, and it has a field of Plant in it. The client's requirement is to restrict users' access based on Plant.

  • Considering our scenario now, since we don’t want a user to see the records of a Plant he is not a part of, it's pretty clear that the restriction is on Plant.

  • The next step would be selecting the appropriate Access Context, now in the case of Plant, its DataType is OrganisationalCenterID/LocationID. So we will use the Access Context 1008-Site.

  • We have to search in RepositoryExplorer which BO supports this access context. In my example, I searched and found that LogisticsTaskFolder meets my needs.



Supported Access Contexts



1. SDK Solution Changes


Here is an example of a Custom Business Object with AccessControl to LogisticsTaskFolder
import AP.Common.GDT as apCommonGDT;

import AP.LogisticsExecution.Global;

 

[DeploymentUnit(ProductionAndSiteLogisticsExecution)] businessobject PlantAccessControl {

  element       Plant       : OrganisationalCenterID;

  element       Consistent  : ConsistencyStatusCode;

  [RelevantForAccessControl] association For_Access_Control to LogisticsTaskFolder;

}


KeyPoints:





  • It is important to remember that we will have to change the DeploymentUnit of the BO to implement the For_Access_Control association.




  • [RelevantForAccessControl] is the annotation that is to be used to link association with standard objects to inherit the Access Context for your custom Business Object.




We need to create a BO Query for our custom object as there is something called ACL (Access Control List) data which will be carried only by the Fast Search Index (FSI) BO query.



BO Query


Next, we will a code for filling our association. Create a BeforeSave script for your custom BO and fill in something to retrieve the Instance of that BO. This code is just a reference:
if (!this.For_Access_Control.IsSet())

{

var LogisticsTaskInst = LogisticTaskFolder.Retrieve(this.SiteID);

this.For_Access_Control = LogisticsTaskInst;

}

//This part is only for testing

if(this.For_Access_Control.IsSet()){

       this.Consistent = "3"; // Consistent

  }

  else{

       this.Consistent = "2"; // Inconsistent

  }

}

2. UI Designer Changes


Open the OWL screen of custom BO now, and in the case of SADL Query, you just need to select one selection checkbox of the For_Access_Control ID.

In the case of a standard Query, you need to perform some extra steps.

  • The Query section under the Controller tab should look like this



Query in Controller




  • Binding under the DataModel tab should look like this



DataModel Binding



2.1 OWL/QA/OIF Changes


Open these screens one by one and select Floorplan, change Properties as shown below under RBAMData


Access Controlled Objects




  • Change the Access Check Mode to “PrivilegedExceptAccessControlBusinesssObjects”

  • Set Authorization Classification Code to “Application”

  • Select Access Controlled Business Object and make sure you see your object having Unrestricted Access unchecked.

  • Save and Activate


2.2 WCView Changes


Open the custom WC view and change the AccessContextCode under RBAMData to the one we need, for example in this case which is “1008 – Site” as shown below:


Access Context Code



3. Assign Access Rights (SAP UI)



  • Activate the WorkCenter for the Business User and then go to the Access Restrictions tab.

  • Find the Work Center you created and in front of the Access Context change its Read and Write Access from Unrestricted to Restricted as shown below



Access Restrictions




  • Finally, assign which Site Access you want the user to have by selecting the Read and Write Access below like this, a user can have access to more than one Plants in this case:



Read and Write Access


You can test the work centers after this yourself and you’re done.

 

Here also some further resources that may help you:

SAP Business ByDesign environment Topic page (https://community.sap.com/topics/business-bydesign), post and answer questions (https://answers.sap.com/tags/01200615320800000691), and read other posts on the topic (https://blogs.sap.com/tags/01200615320800000691/)

 

In case of any queries or further detailed guidelines feel free to ask, and if you want to see similar content in the future make sure you follow me.

It would also mean a lot to me if you could share your thoughts regarding the blog in the comments or by messaging me. I will be happily consider your suggestions and take steps to make the blog even better in the future, thanks!
4 Comments
former_member159871
Explorer
‎10-18-2022 6:16 PM
0 Kudos
Very informative and useful information ijlal07
asifalisap
Explorer
‎10-18-2022 7:10 PM
Good Work
faisal_aslam124
Explorer
‎10-25-2022 8:19 PM
Excellent Work

 
pat123456789
Discoverer
‎10-04-2023 1:33 PM
0 Kudos
Hi ijlal07,

Thank you for the instruction. It works well for my custom BO.

I also have to restrict the access to a Mass Data Run OWL for this custom BO.

Do you know how to proceed here as i cannot define [RelevantForAccessControl] as there is no BO-definition for the mass data run.

Would be great to get a solution!

Best regards,

Patrick

 
Labels in this area
Popular Blog Posts