App Specific Authorization

Owned by Charles Evans
Jul 03, 2020
2 min read

App specific authorisation can be invoked by the selection of the Authorization Checkbox on the Properties screen in the FAB Workbench.

This selection mandates checks to a FAB delivered authorisation object.

  • Authorization Object: /IQX/FAB (SU21)
    Allowed activities:

    01 – Create New Instance

    02 – Change Instance

    03 – Display Instance

    04 – Delete Instance

    11 – Workbench create

    12 – Workbench edit

    13 – Workbench display

    Auth Group

    Multiple values, free text entry, support wildcard entry patterns eg FI*


  • Locations where the authorization checks are implemented :
    • FM - /IQX/FAB_GET_DATASET - FAB Get Data (initial values)
      AUTHORITY-CHECK OBJECT '/IQX/FAB'
                   ID 'BEGRU' FIELD iv_authority_grp
                   ID '/IQX/ACTIV' FIELD '01'.   “Create
    • FM - /IQX/FAB_GET_ELEMENTS - (/IQX/LFAB_SERVICESU09 FAB Get Elements (definition XML))
      Authorisation to view any App/     
      AUTHORITY-CHECK OBJECT '/IQX/FAB'
                   ID 'BEGRU' FIELD iv_authority_grp
                   ID '/IQX/ACTIV' FIELD '03'.   "Display
    • FM - /IQX/FAB_POST_FORM_DATA - (/IQX/LFAB_SERVICESU01 FAB_Changeset End (Post Form Data))
      Authorisation to change/create App/Form data.
      AUTHORITY-CHECK OBJECT '/IQX/FAB'
                         ID 'BEGRU' FIELD ls_header-auth_group
                         ID '/IQX/ACTIV' FIELD '02'.   "Change
    • FM - /IQX/FAB_GET_INSTANCE_DATA - (/IQX/LFAB_SERVICESU13  FAB Get Instance Data (saved form data))
      Authorisation to view App/Form data.
      AUTHORITY-CHECK OBJECT '/IQX/FAB'
                   ID 'BEGRU' FIELD ls_header-auth_group
                   ID '/IQX/ACTIV' FIELD '03'.    "Display
    • FM - /IQX/FAB_GET_RELATED_DATA - (/IQX/LFAB_SERVICESU14 FAB Get Related Data (saved one-to-many form data))
      Authorisation to view App/Form related data.
      AUTHORITY-CHECK OBJECT '/IQX/FAB'
                   ID 'BEGRU' FIELD ls_header-auth_group
                   ID '/IQX/ACTIV' FIELD '03'.    "Display

  • Authorization Check Points
    • Workbench
      1. First time entry to workbench – Only check access to Tcode /IQX/FAB
      2. Workbench when re-entering transaction – check “13 – Workbench display” for auth group of last form. If no access to last form then treat as first time access to workbench.
      3. Workbench when selecting Create New – check “11 – Workbench create” - No check on Auth group.
      4. Workbench when click change to edit form - check “12 – Workbench edit” for auth group of form.

    • Application Access

      User when initiating a form instance - i.e. saving first time.  Check auth object for “01 – Create New Instance” and auth group access.

      Similar for change and Display and delete

    • Data Analysis Reports

      User when executing any of the data analysis reports will not see data unless they have the “03 – Display Instance”.

Step-by-step guide

Decide if you require form level access control

  1. Activate the Authorisation in the Properties section of the App in the workbench.
  2. Maintain the authorisation object /IQX/FAB with the required App access
  3. Assign the Authorisation object to a Role and then assign to the user as required