In S4, there is a Tcode to trace authorization check - stauthtrace
(1) 0 Authorization successful or no check was carried out. An authorization for the authorization object was found in the user master record. Its value sets include the specified values.
(2) 4 Authorization check not successful. One or more authorizations were found for the authorization object in the user master record and they include the value sets, but not the values specified, or incorrect authorization fields or too many fields were specified.
(3) 12 No authorization was found for the authorization object in the user master record.
AGR_USERS: This table stores for a given user, what PFCG roles are assigned to it.
Z_FULL_AUTHORIZATION created by Wade in X3C/504, but AO is not created by him.
Learning
(1) Fast Authorization check
(2) Existing Authorization check is made by executing the Function module CRM_ORDER_ CHECK_AUTHORITY_GEN for each GUID.
(3) a user can be assigned to several organization units in the organizational model).
(4) Fast access: New RF class which selects GUIDs with a fast single access (can be used only by the most common queries)
(5) Classic RF: the GUIDs selection is made with multiple accesses (can be used by all queries)
(6) Each line of the question object corresponding to a field checked by the author-ization process is converted into a range table.
(7) The application Question is modified with the authorized values in classes CL_CRM_ REPORT_ACCRULE_ONEORDER and CL_CRM_REPORT_ACCRULE_ONEORD_I method MAKE_INSTANCE_VALID.
The union of the GUID selected is processed in class CL_CRM_REPORT_QUESTION -> REFRESH:
(1) Creation of a new query where there is operator Union in the question.
(2) For each query,call method gr_accessrule->SELECT to select the GUID
(3) Append the GUID selected to the total list without duplication.
2017-06-13
CDS view only supports read access so the corresponding DCL concept only applies for Advanced search, since CDS view is only used in advanced search currently.
What authorization objects are currently used in advanced search?
An Authorization trace is performed on AG3/001 using tcode: stauthtrace
Start: enter business role SERVICEPRO, End: click Search button and see result in WebUI
None of them belong to Carsten’s list?
2017-06-14 Authorization check in One order reporting framework
There are several ACE check:
CRM_ACE_RIG_RT
CRM_ACE_WP_RT
CRM_ACE_OTYPES
CRM_ACE_CUSTOM
CRM_ACE_ACTS
2017-06-15
How CDS DCL works
See one example:
We have three approaches to control authorization for search.
test table in X3C/504:
Solution1 - fetch from DB, then perform authorization check in ABAP ( bad !)
result:
Solution 2 - this is exactly current report framework “fast authorization” concept
Solution 3 - Using CDS DCL
The code is very clean now:
SELECT * INTO TABLE @DATA(lt_data) FROM zjerry_order.
And also works as expected:
From the CDS standard training, it is IMPOSSIBLE from ABAP layer to know, whether there is indeed only 1 entry with type SRVO, or there might be more entries, but filtered out by missing authorization.
When Open SQL is used to access a CDS entity and an access rule is defined in a role for this entity, the access conditions are evaluated implicitly and their selection restricted so that in SELECT reads, the access condition is added to the selection condition of the statement passed from the database interface to the database using a logical “and”.
This is ST05 trace:
However there are some trouble here!?
However this is not true 😦
And then check the corresponding field in PFCG role from 03 to *:
result is still the same:
Best practice??
Just follow S4 DCL design. Check their package VDM_SD_ANALYTICS.
Two fields in one authorization object is like intersection.
Switch off: @AccessControl.authorizationCheck: #NOT_ALLOWED
If a CDS entity is specified in several access rules of a CDS role or in multiple CDS roles, the resulting access conditions are joined using a logical “or”.
2017-06-17
Refer to S4:
Before I create DCL object:
After I create DCL object:
Jerry question: there are also lots of other Authorization object evaluated in the current search: