/
4.2 App Specific Authorization

4.2 App Specific Authorization

Jun 12, 2018

App specific authorisation can be invoked by the selection of the Authorization Checkbox on the Properties screen in the FAB Workbench.

This selection mandates checks to a FAB delivered authorisation object.

  • Authorization Object: /IQX/FAB (SU21)
    Allowed activities:

    01 – Create New Instance

    02 – Change Instance

    03 – Display Instance

    04 – Delete Instance

    11 – Workbench create

    12 – Workbench edit

    13 – Workbench display

    Auth Group

    Multiple values, free text entry, support wildcard entry patterns eg FI*



  • Locations where the authorization checks are implemented :

    • FM - /IQX/FAB_GET_DATASET - FAB Get Data (initial values)
      AUTHORITY-CHECK OBJECT '/IQX/FAB'
                   ID 'BEGRU' FIELD iv_authority_grp
                   ID '/IQX/ACTIV' FIELD '01'.   “Create

    • FM - /IQX/FAB_GET_ELEMENTS - (/IQX/LFAB_SERVICESU09 FAB Get Elements (definition XML))
      Authorisation to view any App/     
      AUTHORITY-CHECK OBJECT '/IQX/FAB'
                   ID 'BEGRU' FIELD iv_authority_grp
                   ID '/IQX/ACTIV' FIELD '03'.   "Display

    • FM - /IQX/FAB_POST_FORM_DATA - (/IQX/LFAB_SERVICESU01 FAB_Changeset End (Post Form Data))
      Authorisation to change/create App/Form data.
      AUTHORITY-CHECK OBJECT '/IQX/FAB'
                         ID 'BEGRU' FIELD ls_header-auth_group
                         ID '/IQX/ACTIV' FIELD '02'.   "Change

    • FM - /IQX/FAB_GET_INSTANCE_DATA - (/IQX/LFAB_SERVICESU13  FAB Get Instance Data (saved form data))
      Authorisation to view App/Form data.
      AUTHORITY-CHECK OBJECT '/IQX/FAB'
                   ID 'BEGRU' FIELD ls_header-auth_group
                   ID '/IQX/ACTIV' FIELD '03'.    "Display

    • FM - /IQX/FAB_GET_RELATED_DATA - (/IQX/LFAB_SERVICESU14 FAB Get Related Data (saved one-to-many form data))
      Authorisation to view App/Form related data.
      AUTHORITY-CHECK OBJECT '/IQX/FAB'
                   ID 'BEGRU' FIELD ls_header-auth_group
                   ID '/IQX/ACTIV' FIELD '03'.    "Display


  • Authorization Check Points

    • Workbench

      1. First time entry to workbench – Only check access to Tcode /IQX/FAB

      2. Workbench when re-entering transaction – check “13 – Workbench display” for auth group of last form. If no access to last form then treat as first time access to workbench.

      3. Workbench when selecting Create New – check “11 – Workbench create” - No check on Auth group.

      4. Workbench when click change to edit form - check “12 – Workbench edit” for auth group of form.


    • Application Access

      User when initiating a form instance - i.e. saving first time.  Check auth object for “01 – Create New Instance” and auth group access.

      Similar for change and Display and delete


    • Data Analysis Reports

      User when executing any of the data analysis reports will not see data unless they have the “03 – Display Instance”.

Step-by-step guide

Decide if you require form level access control

  1. Activate the Authorisation in the Properties section of the App in the workbench.

  2. Maintain the authorisation object /IQX/FAB with the required App access

  3. Assign the Authorisation object to a Role and then assign to the user as required



Related articles