In S4, there is a Tcode to trace authorization check - stauthtrace (1) 0 Authorization successful or no check was carried out. An authorization for the authorization object was found in the user master record. Its value sets include the specified values. (2) 4 Authorization check not successful. One or more authorizations were found for the authorization object in the user master record and they include the value sets, but not the values specified, or incorrect authorization fields or too many fields were specified. (3) 12 No authorization was found for the authorization object in the user master record. Learning(1) Fast Authorization check (2) Existing Authorization check is made by executing the Function module CRM_ORDER_ CHECK_AUTHORITY_GEN for each GUID. (3) a user can be assigned to several organization units in the organizational model). (4) Fast access: New RF class which selects GUIDs with a fast single access (can be used only by the most common queries) (5) Classic RF: the GUIDs selection is made with multiple accesses (can be used by all queries) (6) Each line of the question object corresponding to a field checked by the author-ization process is converted into a range table. (7) The application Question is modified with the authorized values in classes CL_CRM_ REPORT_ACCRULE_ONEORDER and CL_CRM_REPORT_ACCRULE_ONEORD_I method MAKE_INSTANCE_VALID. The union of the GUID selected is processed in class CL_CRM_REPORT_QUESTION -> REFRESH: (1) Creation of a new query where there is operator Union in the question. 2017-06-13CDS view only supports read access so the corresponding DCL concept only applies for Advanced search, since CDS view is only used in advanced search currently. None of them belong to Carsten's list? 2017-06-14 Authorization check in One order reporting frameworkThere are several ACE check: CRM_ACE_RIG_RTCRM_ACE_WP_RTCRM_ACE_OTYPESCRM_ACE_CUSTOMCRM_ACE_ACTS2017-06-15How CDS DCL works We have three approaches to control authorization for search. Solution1 - fetch from DB, then perform authorization check in ABAP ( bad !)result: Solution 2 - this is exactly current report framework "fast authorization" conceptSolution 3 - Using CDS DCLThe code is very clean now: From the CDS standard training, it is IMPOSSIBLE from ABAP layer to know, whether there is indeed only 1 entry with type SRVO, or there might be more entries, but filtered out by missing authorization. However there are some trouble here!? However this is not true :( And then check the corresponding field in PFCG role from 03 to *: result is still the same: Best practice??Just follow S4 DCL design. Check their package VDM_SD_ANALYTICS. 2017-06-17Refer to S4: Before I create DCL object: After I create DCL object: Jerry question: there are also lots of other Authorization object evaluated in the current search: 要获取更多Jerry的原创文章,请关注公众号"汪子熙": |
|