/
App Specific Authorization

App Specific Authorization

App specific authorisation can be invoked by the selection of the Authorization Checkbox on the Properties screen in the FAB Workbench.

This selection mandates checks to a FAB delivered authorisation object.

  • Authorization Object: /IQX/FAB (SU21)
    Allowed activities:

    01 – Create New Instance

    02 – Change Instance

    03 – Display Instance

    04 – Delete Instance

    11 – Workbench create

    12 – Workbench edit

    13 – Workbench display

    Auth Group

    Multiple values, free text entry, support wildcard entry patterns eg FI*


  • Locations where the authorization checks are implemented :
    • FM - /IQX/FAB_GET_DATASET - FAB Get Data (initial values)
      AUTHORITY-CHECK OBJECT '/IQX/FAB'
                   ID 'BEGRU' FIELD iv_authority_grp
                   ID '/IQX/ACTIV' FIELD '01'.   “Create
    • FM - /IQX/FAB_GET_ELEMENTS - (/IQX/LFAB_SERVICESU09 FAB Get Elements (definition XML))
      Authorisation to view any App/     
      AUTHORITY-CHECK OBJECT '/IQX/FAB'
                   ID 'BEGRU' FIELD iv_authority_grp
                   ID '/IQX/ACTIV' FIELD '03'.   "Display
    • FM - /IQX/FAB_POST_FORM_DATA - (/IQX/LFAB_SERVICESU01 FAB_Changeset End (Post Form Data))
      Authorisation to change/create App/Form data.
      AUTHORITY-CHECK OBJECT '/IQX/FAB'
                         ID 'BEGRU' FIELD ls_header-auth_group
                         ID '/IQX/ACTIV' FIELD '02'.   "Change
    • FM - /IQX/FAB_GET_INSTANCE_DATA - (/IQX/LFAB_SERVICESU13  FAB Get Instance Data (saved form data))
      Authorisation to view App/Form data.
      AUTHORITY-CHECK OBJECT '/IQX/FAB'
                   ID 'BEGRU' FIELD ls_header-auth_group
                   ID '/IQX/ACTIV' FIELD '03'.    "Display
    • FM - /IQX/FAB_GET_RELATED_DATA - (/IQX/LFAB_SERVICESU14 FAB Get Related Data (saved one-to-many form data))
      Authorisation to view App/Form related data.
      AUTHORITY-CHECK OBJECT '/IQX/FAB'
                   ID 'BEGRU' FIELD ls_header-auth_group
                   ID '/IQX/ACTIV' FIELD '03'.    "Display

  • Authorization Check Points
    • Workbench
      1. First time entry to workbench – Only check access to Tcode /IQX/FAB
      2. Workbench when re-entering transaction – check “13 – Workbench display” for auth group of last form. If no access to last form then treat as first time access to workbench.
      3. Workbench when selecting Create New – check “11 – Workbench create” - No check on Auth group.
      4. Workbench when click change to edit form - check “12 – Workbench edit” for auth group of form.

    • Application Access

      User when initiating a form instance - i.e. saving first time.  Check auth object for “01 – Create New Instance” and auth group access.

      Similar for change and Display and delete

    • Data Analysis Reports

      User when executing any of the data analysis reports will not see data unless they have the “03 – Display Instance”.

Step-by-step guide

Decide if you require form level access control

  1. Activate the Authorisation in the Properties section of the App in the workbench.
  2. Maintain the authorisation object /IQX/FAB with the required App access
  3. Assign the Authorisation object to a Role and then assign to the user as required




Related content

Fiori App Builder (FAB) and OneList - Roles and Authorization objects
Fiori App Builder (FAB) and OneList - Roles and Authorization objects
More like this
App Specific Authorization
App Specific Authorization
More like this
App Specific Authorization
App Specific Authorization
More like this
4.2 App Specific Authorization
4.2 App Specific Authorization
More like this
FAB and OneList - Roles and Authorization objects
FAB and OneList - Roles and Authorization objects
More like this
4.1 FAB Security Roles
4.1 FAB Security Roles
More like this