Custom Business Configurations (F4579): Controlling the visibility of BC Objects using authorization

Introduction

The Custom Business Configurations (CUBCO) app serves as an entry point to the Business Configuration Maintenance Object provided by custom applications or partners.
Depending on the respective role the user should only be able to edit certain business configurations.

This blog is relevant for

SAP S/4HANA Cloud Public EditionSAP S/4HANA Cloud Private Edition  SAP BTP ABAP environment  

Further reading:

Related blog postsLearn how you can use ABAP technology to develop innovative applications and business solutions across SAP’s portfolio on SAP Learning Site.

Basic Concept

An OData V4 service is assigned to each business configuration object (SMBC). The corresponding service binding is based on a RAP BO.
The list of available business configuration objects in the CUBCO app is restricted to those where the user has the start authorization for the service binding (authorization object S_START,  see access control object I_SMBC_CONFIGURATION_TP).  The application-specific authorizations are not checked until an SMBC object has been selected. That is, authorization control implemented in the RAP BO. Normally, the authorization object S_TABU_NAM is used, but you can also use any other authorization object.

Therefore, you can create business roles in which only a subset of all business configuration objects can be used.

SAP BTP ABAP environment, SAP S/4HANA Cloud Public Edition

IAM apps are the smallest building block for creating business roles. For a business configuration object, you assign the OData service binding and the application relevant authorization objects to it. You then create a business catalog to collect IAM apps and finally assign business catalogs to business roles.

Example:
You have four SMBC objects A, B, C, D in the system and a different OData service binding for each SMBC object. The authorization object S_TABU_NAM is used in all RAP BOs. You create four IAM apps A, B, C, D, each containing the OData service of a different SMBC object and the authorization object S_TABU_NAM. You create a business catalog BC1 that contains the IAM apps A, B, and a business catalog BC2 that contains the IAM apps B, C, D.

You assign a business role containing the business catalog BC1 to a user. This user can work with the SMBC objects A, B. The user cannot see or edit the SMBC objects C and D.
You assign a business role containing the business catalog BC2 to a user. This user can work with the SMBC objects B, C, D. The user cannot see or work with the SMBC object A.

SAP S/4HANA Private Cloud Edition

IAM apps are not available. You add the application relevant authorization objects to the authorization default of the OData service assigned to the SMBC object. In the PFCG role you then add the authorization default.

Example:
You have four SMBC objects A, B, C, D in the system and a different OData service binding for each SMBC object. You assign a PFCG role containing the authorization default for the OData services of SMBC objects A, B to a user. This user can work with the SMBC objects A, B. The user cannot see or edit the SMBC objects C and D.

Note that roles that contain the Custom Business Configurations Fiori app do not automatically derive the required authorization for the SMBC objects. You need to add the authorization default of the OData service manually.

 

​ IntroductionThe Custom Business Configurations (CUBCO) app serves as an entry point to the Business Configuration Maintenance Object provided by custom applications or partners.Depending on the respective role the user should only be able to edit certain business configurations.This blog is relevant forSAP S/4HANA Cloud Public EditionSAP S/4HANA Cloud Private Edition  SAP BTP ABAP environment  Further reading:Related blog postsLearn how you can use ABAP technology to develop innovative applications and business solutions across SAP’s portfolio on SAP Learning Site.Basic ConceptAn OData V4 service is assigned to each business configuration object (SMBC). The corresponding service binding is based on a RAP BO.The list of available business configuration objects in the CUBCO app is restricted to those where the user has the start authorization for the service binding (authorization object S_START,  see access control object I_SMBC_CONFIGURATION_TP).  The application-specific authorizations are not checked until an SMBC object has been selected. That is, authorization control implemented in the RAP BO. Normally, the authorization object S_TABU_NAM is used, but you can also use any other authorization object.Therefore, you can create business roles in which only a subset of all business configuration objects can be used.SAP BTP ABAP environment, SAP S/4HANA Cloud Public EditionIAM apps are the smallest building block for creating business roles. For a business configuration object, you assign the OData service binding and the application relevant authorization objects to it. You then create a business catalog to collect IAM apps and finally assign business catalogs to business roles.Example:You have four SMBC objects A, B, C, D in the system and a different OData service binding for each SMBC object. The authorization object S_TABU_NAM is used in all RAP BOs. You create four IAM apps A, B, C, D, each containing the OData service of a different SMBC object and the authorization object S_TABU_NAM. You create a business catalog BC1 that contains the IAM apps A, B, and a business catalog BC2 that contains the IAM apps B, C, D.You assign a business role containing the business catalog BC1 to a user. This user can work with the SMBC objects A, B. The user cannot see or edit the SMBC objects C and D.You assign a business role containing the business catalog BC2 to a user. This user can work with the SMBC objects B, C, D. The user cannot see or work with the SMBC object A.SAP S/4HANA Private Cloud EditionIAM apps are not available. You add the application relevant authorization objects to the authorization default of the OData service assigned to the SMBC object. In the PFCG role you then add the authorization default.Example:You have four SMBC objects A, B, C, D in the system and a different OData service binding for each SMBC object. You assign a PFCG role containing the authorization default for the OData services of SMBC objects A, B to a user. This user can work with the SMBC objects A, B. The user cannot see or edit the SMBC objects C and D.Note that roles that contain the Custom Business Configurations Fiori app do not automatically derive the required authorization for the SMBC objects. You need to add the authorization default of the OData service manually.   Read More Technology Blog Posts by SAP articles 

#SAP

#SAPTechnologyblog

Avatar for

You May Also Like

More From Author