TMG Security Framework for SAP Hybris

The TMG Security Framework for SAP Hybris solves complex security requirements for rule based front-end UI restrictions and backend object data access of modern commerce applications

As organizations begin to mature their commerce presence, they look at platforms such as SAP Hybris to replace disparate applications supporting different channels of business, such as internal employees, external partners and vendors. The goal is to create a single application/portal for all areas of business to transact seamlessly. To achieve this, one common requirement is the ability to restrict a user's view of page elements (text fields, inputs, buttons, lists, sections, links, etc...) based on a defined set of rules. Most of the time, if not always, these rules extend beyond simple user groups. For example, in a B2B quoting application we may want to take the quote's status into account, along with product details, total price, several user attributes, etc... before we display the quoting screens. The exact rule sets can be complex and will be different across projects.

There really isn't a standard solution for this problem. One direction could be to code complex if statements, but this would lead to unreadable code that is difficult to test and extend. The WCMS and content slots could be another approach, but security really isn't the intention this tool. Add in the potential of 100's of fields and/or elements to secure, it would become terribly inefficient to evaluate a page. Bottom line, these approaches would result in complex custom coding which is hard to maintain - especially when it comes to future platform upgrades / enhancements.

This is the gap the TMG Security Framework fills. The framework allows developers to control UI visibility on the frontend and secure objects of any type in the backend in a manner that is consistent and supports a configuration based approach. The framework is a set of Hybris Extensions that can be used in any SAP Hybris project scenario, B2B or B2C, a new project or an existing one. Both SAP Hybris 5 and 6 are supported.

Framework Features:

Flexibility
The framework supports the ability to secure any combination of OOTB and/or custom objects as well as use any object for security rule criteria. These objects can be of any type, e.g. Models, Beans and DTOs. We also support any page element including values with in those elements, e.g. values with in drop down lists.

 
  Secure objects such as Users, Orders, Quotes, Pricing, Carts, etc... and/or use them as security rules

Secure objects such as Users, Orders, Quotes, Pricing, Carts, etc... and/or use them as security rules

 

Frontend & Backend Security
Not only do we provide the ability to hide, disable or restrict elements on the frontend, we've built in backend logic to ensure the solution is 'secure'. For example, if a savy user hacks a value of a read only field on the frontend, our framework will use the security rules in our services layer to 'wipe clean' any attributes the user doesn't have permissions to change.

 
  Our services layer cleans and secures data in both directions

Our services layer cleans and secures data in both directions

 

We also clean attributes of data being sent to the client. If you are using ajax where a user can view traffic over the network or a web service that needs to send data that is 'secured', the client will never see attributes and values they aren't intended to since the framework will remove them.

Intuitive Implementation (Impex Based)
The framework was designed to be easily integrated into your project with minimal affect on the existing implementation. The security rules are defined in SAP Hybris Impex format. This provides the ability for rules to be changed at runtime without builds or restarts.

 
  Include our extensions in your project

Include our extensions in your project

  Extend our security object

Extend our security object

  Wrap your UI elements in our tags for field visibility

Wrap your UI elements in our tags for field visibility

  Define your security rules in Impex

Define your security rules in Impex

 

In some scenarios where complex data mining is required for rules, we provide interfaces for coding hooks to get data.

Performance
We utilize caching layers to provide the most efficient experience for your users. We also provide the ability to group secured attributes together with the same rule criteria so they are all evaluated together, reducing the page load time greatly in many cases.

Debugging Tools
Realtime debugging tools are built into the front-end application, providing the following:

 

A Quote transitioning while in debug mode, notice the visibility of UI elements on the front end change and our debug icons that can be clicked for more information

 
 

The rules that apply to that field, with the fired rule in re

 
 

The current session's data that is considered rule criteria

 
 

A help section to provide more data about the debugging session

 

These debugging tools are turned on and off globally by Hybris system properties that can be changed at runtime. Once turned on, the tool is accessible on a per user session basis by setting a URL parameter. This provides the ability to debug a single user session without having to affect other users in the application. The debugging tool also supports mobile devices smaller screens.

BackOffice & HMC Support

We have also built in support for Hybris 6 BackOffice and also for the HMC. You can view rules, settings and make changes at runtime via these tools.

 
 
 

Hybris 6 BackOffice Support

 

These tools contain configured List View, Advanced Search Area and Editor Area for each Security Framework related object type.

If you would like to find out more about the framework and if it could benefit your project, please contact us at info@techmatesgroup.com.