Implementing Authorization Checks Flashcards

1
Q

What is the responsibility of the database interface in ABAP?

A

The database interface in ABAP is responsible for processing requests to the database, ensuring that SQL statements are executed correctly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How does the database interface handle user authentication?

A

The database interface typically logs onto the database with a special user account that has broad permissions, allowing it to execute almost any operation on the database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the purpose of the authorization concept in ABAP?

A

it serves to restrict the privileges of business users when interacting with the database, ensuring they only have access to perform certain actions on specific data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is an authorization object in ABAP BTP?

A

An authorization object in ABAP BTP is a fundamental component used to regulate access to various resources and functionalities within the platform.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What role does an authorization object play in ABAP BTP?

A

An authorization object defines a set of rules that determine whether a user is authorized to perform specific actions or access certain data within the ABAP BTP environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is an IAM app in ABAP BTP?

A

An IAM (Identity and Access Management) app in ABAP BTP refers to an application or service that handles user authentication, authorization, and identity management within the BTP environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What role does an IAM app play in ABAP BTP?

A

An IAM app is responsible for managing user identities, verifying user credentials, and controlling access to resources and functionalities based on defined policies and permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the business catalog in ABAP BTP?

A

a business catalog is a centralized repository or directory that contains a collection of business roles, authorization objects, and associated authorizations. It serves as a catalog of available roles and permissions within the BTP environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What role does the business catalog play in managing authorization objects in ABAP BTP?

A

The business catalog serves as a repository for authorization objects and their configurations. It organizes authorization objects into logical groups and associates them with specific business roles. IAM apps utilize the business catalog to assign relevant authorization objects to users or roles, ensuring proper access control and security enforcement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a business role in ABAP BTP and a Business User?

A

A business role in ABAP BTP defines a set of tasks or responsibilities that a user or group of users can perform within the BTP environment. It encompasses a collection of Business catalogs.
This Business role is then assigned to a Business User who can then execute the permitted actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Explain the relation between authorization object, IAM App, Business Catalog and Business Role.

A

To assign an authorization to a user, you include the authorization in an IAM App.
Here you can assign values to the fields of the authorization object. They describe what data the user is allowed to access.
Next you assign several IAM apps to a business catalog and publish it.
Now the admin takes over and creates a business role containing one or more business catalogs.
Then, business users are assigned to the business role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the two kinds of authorization checks in ABAP?

A

The first kind is a check bound to a CDS view, filtering retrieved data based on user authorizations. The second kind is an explicit check using the AUTHORITY-CHECK statement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How does the authorization check bound to a CDS view work?

A

It filters retrieved data according to the user’s authorizations, ensuring that only permitted data is returned.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the purpose of the AUTHORITY-CHECK statement in ABAP?

A

The AUTHORITY-CHECK statement sets a return code value to determine if the user has the required authorization for a specific action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How are authorization checks typically used in the ABAP RESTful Application Programming model (RAP)?

A

Access controls are employed for read operations, while AUTHORITY-CHECK statements are utilized to validate authorizations before permitting changes to data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How do you implement access controls on a CDS view entity?

A

To implement access controls, you create an object with type Access Control. In this example, the access control checks authorization for a specific object (/DMO/TRVL) and compares the field /DMO/CNTRY with values in the database, setting the activity to ‘03’ for read access.

17
Q

How can you find the access control corresponding to a particular CDS view entity?

A

by placing the cursor on the name of the view entity in the editor and pressing Ctrl + Shift + G. This action loads the where-used list for the view entity, and if the view entity has an access control, it will be listed there.

18
Q

What happens when a user selects data using a CDS view with access controls?

A

The system uses the access control to determine the required values and compares them with the authorization values assigned to the user. It then sets a filter to ensure that only data corresponding to the user’s authorization is read, ensuring both security and performance efficiency.

19
Q

How do you perform an explicit authorization check in ABAP?

A

you use the AUTHORITY-CHECK statement, specifying the authorization object and the required values. For example, AUTHORITY-CHECK checks against object /DMO/TRVL, requiring the user to have authorization with ‘US’ for field CNTRY and ‘03’ for field ACTVT.

20
Q

How can you determine the result of an authorization check using AUTHORITY-CHECK?

A

The result of an authorization check using AUTHORITY-CHECK is indicated by the value stored in the system field sy-subrc. A value of 0 indicates a successful authorization check.

If sy-subrc has the value 4 after an authorization check, it means that the user has an authorization for the corresponding object but not with the required values.

sy-subrc 12 indicates no authorization whatsoever.

21
Q

What action should be taken if the authorization check fails according to the value of sy-subrc?

A

the application needs to handle the situation appropriately, ensuring that the user cannot access the data. There is no automatic denial.

the AUTHORITY-CHECK statement does not prevent users from seeing data for which they have no authorization!

22
Q

What happens when you read data using a CDS view with an attached access control?

A
The system sets a filter on the data selection and only reads the records that correspond to the user’s authorization.

B
The system reads all of the data from the database and discards the records that do not correspond to the user’s authorization

A

A
The system sets a filter on the data selection and only reads the records that correspond to the user’s authorization.

23
Q

In which object do you assign values to authorization fields?

A
IAM App

B
Business Catalog

C
Business Role

D
Authorization object

A

A
IAM App

24
Q

You check a user’s authorization to view data using an AUTHORITY-CHECK statement. What happens if the user does not have the requisite authorization?

A
sy-subrc is set to 0. The user is prevented from seeing the data automatically.

B
sy-subrc is set to 0. The developer must ensure him or herself that the user cannot see the data.

C
sy-subrc is set to a value unequal to 0. The user is prevented from seeing the data automatically.

D
sy-subrc is set to a value unequal to 0. The developer must ensure him or herself that the user cannot see the data.

A

D
sy-subrc is set to a value unequal to 0. The developer must ensure him or herself that the user cannot see the data.