Page tree
Skip to end of metadata
Go to start of metadata

The Leave Request example distinguishes between employee and manager roles.

  • Each employee has the permission to create a leave request
  • Managers additionally have the permission to approve leave requests of their employees

To implement this there are different OAuth 2.0 Scopes for the creation and the approval of leave requests. To get the permission for the required OAuth 2.0 scopes the end users need certain authorizations.

Table of Contents:

Maintain the manager role

The manager role must contain authorizations for the authorization objects S_SERVICE and S_SCOPE to be allowed to access the Leave Request and Approval services.

  • Authorizations for the authorization object S_SERVICE are required to start the Leave Request application services. These are checked by the ICF Framework.
  • Authorizations for the authorization object S_SCOPE are required to delegate access permissions for the Leave Request application services from the end user to the Leave Request Application

1. Start transaction PFCG

Enter the role name for the manager e.g. ZSIS261_MANAGER.

Choose change button or press F6.

2. To add the S_SERVICE authorizations switch to the tab Menu.

If you are asked to save the role first, choose Yes.

Choose Authorization Default.

The system will display a popup where you can enter the TADIR Service that should be added to the role.

Add the following TADIR services to the role Role Menu:


Adding the TADIR services to the role menu the system will automatically insert the correct authorization values for the authorization object S_SERVICE into the role.

In the next steps add the authorizations for the authorization object S_SCOPE.

3. Switch to the tab Authorizations and choose Change Authorization Data.

If you are asked to save the role first, choose Yes.

Cancel the popup Choose Template.

Goto menu Utilities and choose Technical names on.

4. On the following screen mark the role name ZSIS261_MANAGER and choose Expand.

You will then see all the authorizations for authority object S_SERVICE as displayed in the screenshot.

5. Choose Manually to insert authorization object S_SCOPE.

6. Mark Manually Basis: Administration and choose Expand.

The newly added entry is marked yellow.

Choose Change to enter the OAuth 2.0 Client ID.

7. On the popup Field values enter LEAVEAPP in column From and choose Save.

8. Enter the OAuth 2.0 Scope IDs

Configuration works the same way as you did for the Client ID in steps 6 and 7.

9. After the authorizations were maintained choose Generate.

If a popup with the title Assign Profile Name for Generated Authorization Profile appears, press ENTER.

Finally choose Back to get back to the role Change Roles screen.

The role is completely configured now.

When adding the S_SCOPE authorizations every user having the manager role ZSIS261_MANAGER assigned, is allowed to delegate the access permissions for these services to the referred OAuth 2.0 Client. In the example permissions may be delegated only to OAuth 2.0 Client LEAVEAPP. To allow delegation to any OAuth 2.0 Client just maintain an *asterisk (*) in the field OAuth 2.0 Client ID.

Adhering to the principle of Least Privileges it’s recommended to maintain specific OAuth 2.0 Client and Scope values.

Assign the manager role to a resource owner user

The manager role must be assigned to every manager who should be authorized to approve leave requests.

In OAuth-speak that means

  • every manager user who should be authorized to delegate the scope ZSIS261_LEAVEREQUEST_APPR_0001 to 
  • an OAuth 2.0 Client, in our case the Leave Request application, which will then perform the approvals on behalf of the manager user. 

10. Switch to the tab User.
In the table at the bottom enter the users to be assigned to the role, e.g. Bob.
If the icon before User comparison is red or yellow, click on it.
Press Save (or CTRL+S) to save the role assignment.

Now the icon before User comparison as well as the icon before the tab User should be green as indicated in the figure.

Maintain the employee role

Maintenance of the employee role works similar to maintaining the manager role.

11. Start transaction PFCG to work on the role ZSIS261_EMPLOYEE.
(See step 1 for details).

Firstly add TADIR services R3TR IWSG ZLEAVEREQUEST_0001 and R3TR IWSV ZLEAVEREQUEST  0001 to the role menu:
(See step 2 for details).

Secondly add authorizations for the OAuth 2.0 Scope delegation to the role. The employee needs the authorization for scope ZLEAVEREQUEST_0001.
(See step 5-9 for details).

After this step role ZSIS261_EMPLOYEE should have the authorizations as shown in the figure.

Assign the employee role to a resource owner user

The employee role must be assigned to every employee that should be authorized to delegate the scope ZSIS261_LEAVEREQUEST_SRV_0001 to an OAuth 2.0 Client.

12. Back in the Change Roles screen in transaction PFCG, switch to the tab User and assign the role to user EMPLOYEE.
(See step 10 for details).

In the table at the bottom enter the users to be assigned to the role, e.g. Alice.

Bob who is a manager in our scenario also gets the employee role so that he is able to delegate the leave requests permissions as well.