Full Authorization Context 1 define own authorization context by privileged mode; $| define own authorization context by privileged mode and {$[AuthObject1;$] $[ AuthObject2;$] $[...$]} $| define own authorization context {$[AuthObject1;$] $[ AuthObject2;$] $[...$]}
What does it do? A RAP behavior definition can define authorization contexts that list multiple authorization objects that are used for the ABAP statement AUTHORITY-CHECK OBJECT. There are different types of authorization contexts:
Full authorization context
Defined using the statement define own authorization context $[...$].
List of authorization objects which are checked by the implementation methods of the ABAP behavior pool itself, or by existing code that is called by the ABAP behavior pool implementation. The full authorization context documents the authorization objects used in the implementation of the RAP BO in question. It must be complete and exhaustive. Otherwise, a syntax check warning occurs.
Authorization context for disable
Defined using the statement define authorization context .
Container for authorization objects that lists one or more authorization objects. When an authorization context is activated, the authorization checks for all associated authorization objects always return the value authorized . That means, the respective authorization checks are skipped. SAP has configured authorization objects to be allowed or forbidden for use in full authorization contexts or authorization contexts for disable. This configuration must be respected. Otherwise, a syntax check warning occurs. When using strict mode version 2 , a syntax check error occurs. If the authorization context for disable is used by the syntax with privileged mode disabling ContextName, then it must be ensured that this authorization context for disable does not contradict the full authorization context. This means:
A full authorization context must be specified that contains all authorization objects of this particular authorization context for disable. Otherwise, a syntax check warning occurs.
All authorization objects of the full authorization context must be specified in the authorization context for disable in question except for the authorization objects which are forbidden in authorization context for disable as per their classification. Otherwise, a syntax check warning occurs.
ABAP_EXAMPLE_VX5 The following managed BDEF defines three authorization contexts:
Own authorization context: Lists all authorization objects used by the RAP BO implementation. It is modelled by privileged mode and adds two further authorization objects AUTHOBJ5 and AUTHOBJ6. These two further authorization objects are not included in the own authorization context. This is OK in this case, since they are classified as not allowed in BDEF privileged mode by SAP.
NoCheckWhenPrivileged: Lists authorization objects that can be skipped by a RAP BO consumer with privileged access.
NoCheckWhenReadingorModifying: authorization objects that can be skipped in read or modify operations. In this example, the authorization context NoCheckWhenPrivileged contains a subset of authorization objects of the own authorization context. The own authorization context documents all authorization objects that are used by a RAP BO implementation and NoCheckWhenPrivileged defines which ones of them can be skipped in privileged mode. ABAP_NOTE This example is intentionally kept short and simple and serves demonstration purposes only. The RAP handler method FOR INSTANCE AUTHORIZATION is not implemented here. In a real-life scenario, the authorization objects from the own authorization context would be implemented in this RAP handler method. BDEF DEMO_RAP_OWN_AUTH_CONTEXT ABAP_EXAMPLE_END
