Authorization Checks

The authorization capabilities in SAP Mobile Platform center around two primary authorization methods: role checks and resource access checks.

Role checks are performed using the context’s checkRole() method, passing the role ID as the parameter. A list of potential roles that may be used for access checks can be retrieved using the listRoles() method. Some provider sets have the ability to enumerate the roles available. The return value of this method does not necessarily comprise the complete list of roles, depending on the providers.

Resource access checks are more complicated than role checks because three factors are applied to resource access checks:

the resource, represented by the SecResource interface
the action, which is a named object
the subject

Before attempting an access check, a reference to a resource object must be retrieved through a call to getResource(), possibly preceded by a call to listResources() to obtain a resource list. Next, the client can either immediately call checkAccess() supplying the resource reference and an action identifier, or the client can first use the listActions() method to retrieve a list of potential actions that can be expected to be performed on a given resource instance. As with all enumeration methods, providers are not required or guaranteed to implement these and in this case additional valid actions may exist for the given resource.

The calls to the variety of SecContext.checkAccess() and SecContext.checkRole() methods by the client result in calls to the corresponding methods in the authorization provider. The security context combines the results of the role and access check from all of the configured authorization providers when delegating these calls. Therefore, because one provider identifies a user as having a particular role, it does not mean that the checkRole() call succeeds.