Determining Nested Authorization

Objective

After completing this lesson, you will be able to effectively apply nested authorization.

Nested Authorization

Scenario 1: Nested Authorization and User Privileges in SAP BTP Application

In this example, we explore how having different role collections assigned to two users affects their ability to access and manage various aspects of an SAP BTP application. It demonstrates the concept of nested authorization and its impact on user privileges.

The image illustrates a hierarchical structure of role collections and their assignment to two users, User 1 and User 2, in an SAP application. The role collections include Process, Activity, Team 1 writer, Team 1 read, Team 2 write, and Team 2 read, demonstrating the concept of nested authorization and its impact on user access privileges.

Context

Users:

  • User 1
  • User 2

Role Collections:

Role Collection One:​

Permissions: Process read access​

Role Collection Two:

Permissions: Activity read access​

Role Collection Three:

Permissions: Team 1 writer and read access​

Role Collection Four:

Permissions: Team 2 writer and read access

Role Assignment

User 1:

Assigned Role Collections:

  • Role Collection One (Process read)
  • Role Collection Two (Activity read)
  • Role Collection Three (Team 1 writer and read)

User 2:

Assigned Role Collections:

  • Role Collection One (Process read)
  • Role Collection Four (Team 2 writer and read)

User Access Analysis

User 1:

Access to Process Data:

Role Collection One:​

Process Read: User 1 can view all process-related tiles and data but cannot modify them.​

Access to Activity Data:​

Role Collection Two:​

Activity Read: User 1 can view all activity-related tiles and data but cannot modify them.​

Access to Team 1 Data:

Role Collection Three:

Team 1 Writer/Reader: User 1 has full read and write access to Team 1's data, allowing them to view and edit all related information.​

Expected User 1 Abilities:

View Process Data: User 1 can see all process tiles and data.​

View Activity Data: User 1 can see all activity tiles and data.​

Edit Team 1 Data: User 1 can edit Team 1's data.​

User 2:

Role Collection One:

Process Read: User 2 can view all process-related tiles and data but cannot modify them.​

Access to Team 2 Data:

Role Collection Four:​

Team 2 Writer/Reader: User 2 has full read and write access to Team 2's data, allowing them to view and edit all related information.​

Expected User 2 Abilities:​

View Process Data: User 2 can see all process tiles and data.​

Edit Team 2 Data: User 2 can edit Team 2's data.

Scenario 2: Analyzing Role Collections and User Access Levels in SAP BTP

In this scenario, we will analyze the access capabilities of User 1 and User 2 with specific role collections assigned. This will illustrate how role collections affect what users can see and do within SAP BTP.

The image shows the assignment of role collections to two users, User 1 and User 2, in an SAP application. User 1 is assigned Collection 2, which grants access to the Activity and Activity_Read functions. User 2 is assigned Collection 1, which grants access to the Process and Process_Read functions, as well as the Activity and Activity_Read functions.

Context

Users:

  • User 1
  • User 2

Role Collections Defined

Collection 1 (Process Related):

Permissions: Process read access

Collection 2 (Activity Related):

Permissions: Activity read access

Scenario Setup

  • User 1: Assigned a different combination, allowing visibility into all activities.
  • User 2: Assigned Collection 1 and Collection 2 (Process read and Activity read).

Objective

  • User 1: Understand broader access capabilities beyond just process and activity read permissions.
  • User 2: Determine the visibility and access capabilities with Collection 1 and Collection 2.

Scenario 3: Impact of Team-based Role Collections on User Privileges in SAP BTP

This scenario illustrates the impact of adding specific team-based role collections on user access and privileges in SAP BTP. Here, we focus on adding collection 4 for Team Two write and read access to User 2 and observing the resulting changes in permissions for User 1 and User 2.

The image demonstrates the impact of adding the Team 2 write and read access role collections to User 2 in an SAP application. Compared to the previous scenario, User 2 now has additional permissions for the Team 2 activities, while User 1 remains unchanged.

Role Collections Defined

Role Collection One (Process Related):

Permissions: Process read access​

Role Collection Two (Activity Related):

Permissions: Activity read access​

Role Collection Three (Team 1 Access):

Permissions: Team 1 writer and read access​

Role Collection Four (Team 2 Access):

Permissions: Team 2 writer and read access

Role Assignment

User 1:

Assigned Role Collection

  • Collection 2 (Activity read)

User 2:

Assigned Role Collections:

  • Collection 1 (Process read)
  • Collection 2 (Activity read)
  • Collection 4 (Team 2 writer and read)

Updated User Access Analysis

Impact of Adding Collection 4 to User 2:

User 2's New Permissions:

Collection 4 Added: User 2 now has additional write and read access specific to Team 2.

Result: User 2 can create and view activities associated with Team 2.

Effect on User 1:

Restricted Access: User 1, despite having broader access beforehand, will no longer see or create activities because the new setup limits activity visibility and creation to Team 2 members.

Scenario 4: Configuring Reader and Writer Access for User Activities in SAP BTP

Expected Outcomes and Access Levels

The image shows the configuration of reader and writer access for User 1 and User 2 in an SAP application. User 1 is assigned Collection 3, which includes Team 1 writer and Team 1 read permissions. User 2 is assigned Collection 1 and Collection 2, which provide access to the Process, Process_Read, Activity, and Activity_Read functions.

User 1:

Assigned Roles:

  • Collection 2: Activity read access.
  • Collection 3: Team 1 writer and read access.

Permissions Overview:

  • Activity Access: Can view and edit activities associated with Team 1.
  • Team 1 Data: Full write and read access for Team 1 data.

Resulting Behavior:

Activity Visibility: Gains access to the activity based on Team 1 permissions after the team assignment.

Scenario 5: Comprehensive Authorization Controls through Nested Role Collections in SAP BTP

In this final scenario, we consolidate the role collections and configure users to highlight the comprehensive access controls possible through nested authorization. By layering role collections, we achieve a detailed and nuanced authorization schema that can be customized based on user responsibilities and roles.

The image illustrates a comprehensive authorization schema in an SAP application, where multiple role collections are assigned to two users, User 1 and User 2. The role collections include Process, Process_Read, Activity, Activity_Read, Team 1 Write, and Team 1 Read, demonstrating the layered approach to managing user privileges and access levels.

Context

Users:

  • User 1
  • User 2

Role Collections Defined

Collection 1:

Permissions: Process read access

Collection 2:

Permissions: Activity read access

Collection 3:

Permissions: Team 1 write and read access

User 1: Assigned Role Collections 1, 2, and 3

Presumed role: Process Manager

Permissions:

  • Collection 1: Full process read/write access.
  • Collection 2: Activity read access.
  • Collection 3: Team 1 write and read access.

Expected Capabilities:

  • Full control over process management.
  • Can see and manage activities where they are a team member (Team 1).
  • Broad visibility and limited edit capabilities depending on team assignments.

User 2: Assigned Role Collections 1 and 2

Permissions:

  • Collection 1: Process read access.
  • Collection 2: Activity read access.

Expected Capabilities:

  • Can view processes.
  • Can view activities.
  • Cannot edit process or activities unless specifically assigned additional roles.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn