Declaration on Entity Level ... authorization ${( global ) $|( instance ) $|( global,instance )$} ...
Declaration That Can Be Used in the Entity Behavior Body for an Action ... authorization:none authorization:update ...
What does it do? In a projection BDEF, the authorization control from the underlying base BDEF is inherited. This controls CRUD operations and actions that are reused in the projection using the use action syntax. Projections can also define their own actions as described in topic RAP BDL - actions and functions, projection BDEF. For these actions, it is possible to configure authorization control in the projection layer. For global authorization, this is done in the RAP handler method FOR GLOBAL AUTHORIZATION in the local ABAP behavior pool. For instance authorization, this is done in the RAP handler method FOR INSTANCE AUTHORIZATION in the local ABAP behavior pool. Authorization control in projection BDEFs is similar to authorizations in base BDEFs (see topic TITLE ). Here are the main differences:
To define authorization control in a projection BDEF, the projection BDEF must enable BDEF strict mode using the syntax strict$[(version)$].
There is no master/dependent relation. Each projection definition must declare for itself whether it has instance authorization, global authorization, or both. authorization:none excludes the operation in question from authorization checks. See topic TITLE for further details. If authorization:update is used, the operation in question has the same authorization control that is defined in the base BDEF for the update operation. As a prerequisite, it is required that the projection BDEF defines authorization control in its entity behavior characteristics. This configuration in the projection BDEF, however, ( instance or global) has no impact, the settings from the base BO (instance, global, or both) are fully reused. See the second example listed in this topic.
ABAP_FURTHER_INFO
Development guide for the ABAP RESTful Application Programming Model, topic Authorization Definition.
Latest notes: In UI scenarios, authorization control is displayed as RAP consumer hint. NON_V5_HINTS ABAP_HINT_END
ABAP_EXAMPLE_VX5 - Global Authorization Control in Projection BDEF The following example shows a projection BDEF that defines a new action with authorization control in the projection layer. It is based on the underlying base BO DEMO_RAP_UNMANAGED_AUTH. It defines the new action deductDiscount in the projection layer. For this action, global authorization control is specified. BDEF DEMO_RAP_PROJ_NEW_ACTION The ABAP behavior pool implements the global authorization control and the new action. Global authorization control: In this simple example, the condition for global authorization control is always true. METH BP_DEMO_RAP_PROJ_NEW_ACTION(CCIMP)=>GET_GLOBAL_AUTH Action deductDiscount: The user can specify a discount percentage. This discount percentage is subtracted from the initial value of field dec_field. METH BP_DEMO_RAP_PROJ_NEW_ACTION(CCIMP)=>DEDUCTDISCOUNT The ABAP class CL_DEMO_RAP_PROJ_NEW_ACTION uses EML to access to RAP business object. It first creates two new entity instances and then executes the action deductDiscount for both of them. Before executing the action, the RAP frameworks calls the method for global authorization control and checks whether the RAP BO consumer is allowed to execute the action. ABAP_EXAMPLE_END
ABAP_EXAMPLE_VX5 - authorization:update The following example shows a projection BDEF that defines a new action with the syntax addition authorization:update. It is based on the underlying base BO DEMO_RAP_EARLY_NUMBERING. BDEF DEMO_RAP_PROJ_AUTH The ABAP behavior pool implements the action UpdateDataField. This action sets the value of the field DataField to A. METH BP_DEMO_RAP_PROJ_AUTH(CCIMP)=>UPDATEDATAFIELD The ABAP class CL_DEMO_RAP_PROJ_AUTH uses EML to access to RAP business object. It first creates two new entity instances and then executes the action UpdateDataField for one of them. As a result, the field DataField of the respective entity instance is set to A. Before executing the action, the RAP frameworks calls the base BDEF's method for global authorization control and checks whether the RAP BO consumer is allowed to execute the action. In his example, update authorization is granted. ABAP_EXAMPLE_END
