Role Based Access Control Pattern - RBAC - SAP ABAP Web Dynpro

The Pattern that stays at the basis of the presented concept is the Role Based Access Control pattern,an access control model currently used to develop secure systems.

This pattern was firstly formalised by Ferraiolo and Kuhn, in 1992 (the 15th National Computer Security Conference,1992, Baltimore MD, pages 554–563), in a form that allows the users to access the resources by using roles and permissions, and where the roles can inherit permissions from other roles.

Various forms of Role Based Access Control have been created and implemented in a variety of commercial systems. Hereunder,we present a extended form of the RBAC pattern.

Pattern Name: Role based access control.

Context:Any environment where we need to control the access to resources based on the user’s roles.

Problem: How we can assign rights to users in concordance with their roles,so that each user to have only the authorization required to carry out his responsibilities?

Solution: It is presented a classmodel for the Role Based Access Control

The role based access control pattern Schumacher et al.(2006)

We will explain this concept as regards to the Application Server ABAP. The Class User represents the user that attempts to access the protected object (transactions, programs, services),and the Role class represents the user roles.A role can be a single role or a composite role. The composite role can contain only single roles, and the single role can contain,for example,the logon menu for the user and authorization objects.SAP offers a large number of single roles to be used, but we can also create our own ones. Class Right describes the access type(delete, write, etc.).

Each user can be member of a group or more.Through the Session class,it is implemented the principle of “least privilege”, according to which a user gets,through every session, only the privileges required to perform his responsibilities.

In our example presented in Fig.the profile administrator creates a single role ZTEST_ROLE,assigns to it the authorization object ZTEST_AUTH,maintains the fields and generates the authorization profile. Our test user, Gellert, tries to perform a delete operation in the YPERSON database,but he doesn’t have assigned the ZTEST_ROLE yet.

That’s why he doesn’t have the authorization to perform this operation.Only after the user administrator assigns him the role, he can perform the delete operation for the database records found in the range 004–100. So,we have the separation between the role administrator and the right administrator. Besides this basic division, there are other different scenarios that can be used.

Applications: J2EE, SAP NetWeaver, Oracle, etc.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status

SAP ABAP Web Dynpro Topics