on 03-05-2020 8:58 AM
Hi,
I'm struggling to find a way accessing roles and attributes of the user.
My users work in projects. So I thought it would be a nice way defining a ProjectUser role with an attribute that holds the static project code. If I can access both the role and the attribute of the user I could programatically provide the user with the data of his project.
But I encounter one dead end after the other.
First I cannot enter a static attribute in the Cockpit. Roles with attribute references are not displayed. This contradictory with the documentation at https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/4827f0bbe27d459fad8342896d4...
Second I cannot access the roles assigned to a user at runtime. With sap.ushell.Container.getService("UserInfo") I can read the ID, email, etc. if the app is launched from FLP. But the roles are not accessible.
I found an interesting blog from last year's TechEd describing how to use the node.js package @sap/approuter at https://blogs.sap.com/2019/05/23/how-to-get-the-email-of-the-logged-in-user-in-cloud-foundry/. But this is for XS advanced and also seems to retrieve the email only.
I an answer from Gregor Wolf to this question; https://answers.sap.com/questions/653476/fiori--ui5-authorization-using-backend-role.html he gave a hint to encapsulate the authorisation check in an OData entity. How should this be one? Should I create an entity for each role and restrict the read access to this role so that when I try reading the entity it would return an authorisation error? So by trial and error I would find out the assigned roles?
This still would leave me with the problem accessing the attributes. I could resolve this by assigning users to projects. But that would mean double work for the admin.
Isn't there a more elegant way as described by passing country or cost center as an attribute to restrict data access (by using another identity provider)?
Hi Vicente,
yes.
I create an entry in a log entity each time a user opens an app.
In the callback function you then receive his ID/email adress.
But there are options on the backend side. You have access to roles, attributes, etc. if your are using CAP.
Check out cap.cloud.sap.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
69 | |
8 | |
8 | |
6 | |
6 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.