To access an OData web service that exposes data from a Core Data Service (CDS) in SAP R/3, a user needs has to have an authorization role assigned that contains the authorization object S_SERVICE.
The authorization object S_SERVICE requires two parameters:
- the service type (
SRV_TYPE) which is set toHT= "TADIR Object" in my case - the service hash (
SRV_NAME).
Using the debugger I found out, that the function module AUTHORITY_CHECK_TADIR_SERVICE compares the hash from the S_SERVICE authorization object with the hash stored in a record of table usobhash:
I also found out, that function module AUTH_TRACE_CALC_HASH uses the data from the columns PGMID, OBJECT and OBJ_NAME in table usobhash as input to generate the hash which is then stored in column NAME.
So far, whenever I wanted to grant a user/role permission to access a OData service I needed to know this hash. To get the hash, I either checked the usobhash table or manually executed AUTH_TRACE_CALC_HASH and then entered the hash when I assigned the authorization object to an authorization role in transaction pfcg. I guess there has to be an easier, more "official" way to do this. My approach feels like a dirty workaround but I was unable to find any documentation about how to do it right.
tl;dr How do I set the S_SERVICE authorization object without either debugging AUTH_TRACE_CALC_HASH or searching for the relevant entry in usobhash?
