Secured Objects and Application Services

The system restricts access to transactions or explicit services using an application service. The following sections provide more information about what objects are secured, how to find out what is secured by each app service as well as additional information related to managing application services.

What is Secured by an Application Service

  • The following points highlight security related to viewing and modifying individual records in the system:

    • All maintenance objects define an application service that includes the basic actions available, typically Add, Change, Delete, and Inquire. The base product supplies an application service for every maintenance object. Some objects that include a fixed lifecycle, may define additional access modes on the maintenance object's application service. The application service for the maintenance object is defined on its related service program.

      CAUTION: Important! If an application service supports actions that modify the database other than Add, Change, and Delete; you must provide the user with Change access in addition to the other access rights. Consider a maintenance object that includes access modes Freeze, Complete and Cancel). If you want to give a user access to any of these special actions, you must also give the user access to the Change action.

    • For maintenance objects whose user interface page is not portal-based, the application service also controls whether the menu entry appears. If a user doesn't have access to the maintenance object's application service, the menu item that corresponds with the application service will not be visible.

    • For portal based user interfaces, each main (stand-alone) portal defines an explicit application service with the access mode Inquire, allowing the user interface to be secured independently of the underlying object security. If a user doesn't have access to the portal's application service, the menu item that corresponds with the application service will not be visible. The base product supplies an application service for every portal that is accessible from the menu. Note that the application service for the portal is defined on its related service program, which is derived via its navigation option and navigation key.

    • Menu items may define an application service / access mode. Typically the security supplied for portals and maintenance objects provides enough granularity to suppress menu items that a user does not have access to. In addition, by default, the system populates application services / access modes on menu items related to a BPA script. A common use case is the 'Add' menu item for maintaining an object. In this case, typically the application service for the maintenance object is used along with the Add access mode. Other types of BPA related menu items may have other appropriate configuration.

      Clients may choose to linking an explicit application service / access mode to further suppress a menu item. For example, imagine your implementation creates a special BPA script to add a To Do Entry and would like users to use the special BPA rather than the base supplied Add dialogue for To Do Entry. The base delivered menu item for adding a To Do Entry uses the To Do Entry maintenance object application service with the Add access. Users need that security setting to be able to add a To Do Entry even from a different dialogue. To suppress the base Add dialogue, override the setting for the base supplied menu item for To Do Entry Add with a special application service and access mode. Then define a menu entry for the new special BPA for adding.

    • Zones define an application service.

      • For zones linked to a portal, if a user doesn't have access to the zone's application service, the zone will not be visible on the portal. In most cases the zone is delivered with the same application service as its portal. In special cases, such as the zones on the Sidebar, the product supplies separate application services for each zone allowing implementations to determine at a more granular level which users should have access to which zones.

      • For query zones that are configured on a multi-query zone, if a user doesn't have access to the zone's application service, the zone will not be visible in the dropdown on the multi-query zone. In most cases all zones in a multi-query zone define the same application service as the multi-query zone. The product may supply a special application service for one or more zones in a multi-query zone if the functionality is special to certain markets or jurisdictions and not applicable to all implementations.

      • For zones that are used by business services to perform SQL queries, the product supplies a default application service (F1-DFLTS). Security for these zones is not checked by the product as they are used for internal purposes.

    • For portal based pages, individual elements may be shown or hidden based on security using the oraHasSecurity function in a UI map's HTML or in UI Hints in a schema. Refer to Check User's Security Access for more information.

    • Business objects define an application service. If the business object defines a lifecycle, the application service must include access modes that correspond to each state. In addition, the standard maintenance object access modes of Add, Change, Delete and Inquire are included. The base product business objects are supplied with appropriate application services. In addition, implementations may override the configured application service if desired.

      CAUTION: Important! If an application service supports actions that modify the database other than Add, Change, and Delete; you must provide the user with Change access in addition to the other access rights. Consider a business object that includes lifecycle states Freeze, Complete and Cancel). If you want to give a user access to any of these special actions, you must also give the user access to the Change action.

    • Batch controls define an application service which provides the ability to secure submission of individual batch processes. The application service must include an access mode of Execute. The base product batch controls are supplied with appropriate application services. These services will typically have an ID that matches the batch control ID.

    • Report Definition records define an application service. The application service must include an access mode of Submit / View Report.

  • The following objects are securable but are typically executed via internal processes. The security is provided to ensure that any access to the objects from an external source is secured.

    • BPA scripts may define an application service with the access mode Execute. The base BPA scripts are typically not configured with any application service. An implementation may define one. Note that as mentioned above, a menu item may also be configured with an application service and access mode. This allows for a BPA that is invoked via a menu entry to be secured in more than one way.

    • Business Services and Service Scripts define an application service with the access mode Execute. This is needed for services that may be executed from an external system, for example via an inbound web service. Base business services and service scripts that are linked to an inbound web service are configured with special application service. All other business services and service scripts are delivered with a default application service (F1-DFLTS), which may be overridden by an implementation.

    • Scripts may also check security within an Edit Data step type if there is some functionality that should or should not execute based on a user's security access. The Edit Data step would include a call to the business service F1-CheckApplicationSecurity

    • Service Programs define an application service. As mentioned above, for Portals and Maintenance Objects, their application service is taken from the related service program. In base, specific application services are released for each of these types of service programs. All other service programs are typically delivered with a default application service (F1-DFLTS), which may be overridden by an implementation. Note that for service programs linked to a Business Service, the application service on the business service takes precedence when invoking the business service.

Determining What an Application Service Secures

Because the product wants to provide as much granularity as possible so that implementations can have the greatest control over what users can do, there are a large number of application services provided out of the box and it can be daunting to understand who needs to have access to what application services to do their job. The product provides several online tools to help security administrators to understand what application services exist and what they are for.

  • On the application service page itself, there is a Secured Objects zone that indicates all the metadata that is related to this application service. There are a small number of application services that are securing functionality that is not discoverable by the Secured Objects zone. For those services, the detailed description of the application service should indicate what it's for.

  • A large percentage of security is related to a specific page in the system that is accessible via the menu. Because of the different layers of security, to be able to view a record you may need access to several application services: the one associated with the query portal, the one associated with the maintenance portal, the one associated with the maintenance object of the record and the one associated with the business object governing the record. When viewing a menu, there is an Application Security tab, which allows you to review each menu line and see a list of all the application services a user may need access to for viewing or maintaining data on that related page.

  • The Application Security Query portal provides various filters for viewing what objects are being secured by what services. Besides menu items, it shows batch controls, reports, web services and other functionality. In addition, it allows you to view what users and what user groups currently have access to what application services and allows you to compare the security of two users.
  • The User Group portal includes several zones that help security administrators to configure security options or review security configuration. The main tab includes a zone to Add Application Services. This zone only shows application services that are not already linked and provides several ways to narrow down the list of application services. The Service Manager tab has a similar zone, but breaks down the information to a combination of application service and access mode. Finally, the Secured Components tab is similar to the Application Security Query. It allows you to query the objects secured by application services in this user group.

Application Services Introduced in a Release

When new functionality is provided that includes any object that is associated with an application service, new application services may be introduced. The product release notes indicate the new application services included in the release. In addition, the product includes a special Entity Tag that includes a list of the new application services. The tag's description uses the cloud release reference rather than the on-premise release reference to identify itself.