To access an OData web service that exposes data from a Core Data Service (CDS) in SAP R/3, a user needs has to have an authorization role assigned that contains the authorization object S_SERVICE
.
The authorization object S_SERVICE
requires two parameters:
- the service type (
SRV_TYPE
) which is set toHT
= "TADIR Object" in my case - the service hash (
SRV_NAME
).
Using the debugger I found out, that the function module AUTHORITY_CHECK_TADIR_SERVICE
compares the hash from the S_SERVICE
authorization object with the hash stored in a record of table usobhash
:
I also found out, that function module AUTH_TRACE_CALC_HASH
uses the data from the columns PGMID
, OBJECT
and OBJ_NAME
in table usobhash
as input to generate the hash which is then stored in column NAME
.
So far, whenever I wanted to grant a user/role permission to access a OData service I needed to know this hash. To get the hash, I either checked the usobhash table or manually executed AUTH_TRACE_CALC_HASH
and then entered the hash when I assigned the authorization object to an authorization role in transaction pfcg
. I guess there has to be an easier, more "official" way to do this. My approach feels like a dirty workaround but I was unable to find any documentation about how to do it right.
tl;dr How do I set the S_SERVICE
authorization object without either debugging AUTH_TRACE_CALC_HASH
or searching for the relevant entry in usobhash
?