App Specific Authorization

App specific authorisation can be invoked by the selection of the Authorization Checkbox on the Properties screen in the FAB Workbench.

This selection mandates checks to a FAB delivered authorisation object.

• Authorization Object: /IQX/FAB (SU21)
  Allowed activities:
  

  01 – Create New Instance

  02 – Change Instance

  03 – Display Instance

  04 – Delete Instance

  11 – Workbench create

  12 – Workbench edit

  13 – Workbench display

  Auth Group
  

  Multiple values, free text entry, support wildcard entry patterns eg FI*

  
  

• Locations where the authorization checks are implemented :
  • FM - /IQX/FAB_GET_DATASET - FAB Get Data (initial values)
    AUTHORITY-CHECK OBJECT '/IQX/FAB'
                 ID 'BEGRU' FIELD iv_authority_grp
                 ID '/IQX/ACTIV' FIELD '01'.   “Create
  • FM - /IQX/FAB_GET_ELEMENTS - (/IQX/LFAB_SERVICESU09 FAB Get Elements (definition XML))
    Authorisation to view any App/     
    AUTHORITY-CHECK OBJECT '/IQX/FAB'
                 ID 'BEGRU' FIELD iv_authority_grp
                 ID '/IQX/ACTIV' FIELD '03'.   "Display
  • FM - /IQX/FAB_POST_FORM_DATA - (/IQX/LFAB_SERVICESU01 FAB_Changeset End (Post Form Data))
    Authorisation to change/create App/Form data.
    AUTHORITY-CHECK OBJECT '/IQX/FAB'
                       ID 'BEGRU' FIELD ls_header-auth_group
                       ID '/IQX/ACTIV' FIELD '02'.   "Change
  • FM - /IQX/FAB_GET_INSTANCE_DATA - (/IQX/LFAB_SERVICESU13  FAB Get Instance Data (saved form data))
    Authorisation to view App/Form data.
    AUTHORITY-CHECK OBJECT '/IQX/FAB'
                 ID 'BEGRU' FIELD ls_header-auth_group
                 ID '/IQX/ACTIV' FIELD '03'.    "Display
  • FM - /IQX/FAB_GET_RELATED_DATA - (/IQX/LFAB_SERVICESU14 FAB Get Related Data (saved one-to-many form data))
    Authorisation to view App/Form related data.
    AUTHORITY-CHECK OBJECT '/IQX/FAB'
                 ID 'BEGRU' FIELD ls_header-auth_group
                 ID '/IQX/ACTIV' FIELD '03'.    "Display
    
    
• Authorization Check Points
  • Workbench
    
    1. First time entry to workbench – Only check access to Tcode /IQX/FAB
    2. Workbench when re-entering transaction – check “13 – Workbench display” for auth group of last form. If no access to last form then treat as first time access to workbench.
    3. Workbench when selecting Create New – check “11 – Workbench create” - No check on Auth group.
    4. Workbench when click change to edit form - check “12 – Workbench edit” for auth group of form.
       
       
  • Application Access
    

    User when initiating a form instance - i.e. saving first time.  Check auth object for “01 – Create New Instance” and auth group access.

    Similar for change and Display and delete
    
    

  • Data Analysis Reports
    

    User when executing any of the data analysis reports will not see data unless they have the “03 – Display Instance”.

Step-by-step guide

Decide if you require form level access control

1. Activate the Authorisation in the Properties section of the App in the workbench.
2. Maintain the authorisation object /IQX/FAB with the required App access
3. Assign the Authorisation object to a Role and then assign to the user as required

Related articles

• Page:
  Uninstallation
• Page:
  BDC Create Settings
• Page:
  2.9.5 Content Density
• Page:
  Dates with Excel Drop
• Page:
  2.2.9.2 FabAction