Scribd
Upload
248 views25 pages

ABAP CDS Views With Authorization

The document discusses authorization and access control for ABAP CDS views. It provides standard demo examples of different access control options and then creates a simple example based on PFCG authorizations. The example creates a CDS view, authorization objects, roles, and demonstrates how access is controlled based on the defined authorizations.

Uploaded by

Sriram C S
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
248 views25 pages

ABAP CDS Views With Authorization

The document discusses authorization and access control for ABAP CDS views. It provides standard demo examples of different access control options and then creates a simple example based on PFCG authorizations. The example creates a CDS view, authorization objects, roles, and demonstrates how access is controlled based on the defined authorizations.

Uploaded by

Sriram C S
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Follow RSS feed Like


Community

Ask a Question Write a Blog Post Login

Maksim Alyapyshev
February 27, 2017 11 minute read

ABAP CDS views with Authorization based on Access Control


21 Likes 43,038 Views 23 Comments

Hi!

In this post I would like to consider a very important authorization aspect of ABAP CDS views. For each CDS
view we have to de ne an access control using DCL.

For the demonstration cases I’m using S/4HANA 1610 on NW 7.51.

There are 5 parts in this post:

Part I. Standard demo access control examples

Part II. Create a simple example based on PFCG authorizations

Part III. Access control for analytical CDS views with CUBE data category

Part IV. Access control for analytical query CDS views

Part V. UNION or INTERSECTION of authorizations

Let’s start.

________________________________________________________________________________

Part I. Standard demo access control examples

First of all I recommend to begin with standard demo CDS views in SABAPDEMOS package based on Flight
Model.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 1/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

1. Full access demo example


Follow RSS feed Like

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_FULLACC'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_fullaccess
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};

DCL:

@MappingRole: true
define role demo_cds_role_fullaccess {
grant select on demo_cds_auth_fullaccess; }

2. Literal conditions demo example

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_LITERAL'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_literal
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};

DCL:

@MappingRole: true
define role demo_cds_role_literal {

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 2/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

grant select on demo_cds_auth_literal


Follow RSS feed Like
where carrid = 'LH'; }

3. PFCG authorizations demo example

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_pfcg
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};

DCL:

@MappingRole: true
define role demo_cds_role_pfcg {
grant select on demo_cds_auth_pfcg
where (carrid) =
aspect pfcg_auth (s_carrid, carrid, actvt='03'); }

Authorization object s_carrid could be found in t-code SU21 under BC_C object class.

4. Combination of literal and PFCG authorizations demo example

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_LITPFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_lit_pfcg
as select from
scarr
{
key carrid,
carrname,
currcode,

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 3/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

url
Follow RSS feed Like
};

DCL:

@MappingRole: true
define role demo_cds_role_lit_pfcg {
grant select on demo_cds_auth_lit_pfcg
where (carrid) =
aspect pfcg_auth (s_carrid, carrid, actvt='03') and
currcode = 'EUR'; }

5. Inherited authorization demo example

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_INH'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_inherited
as select from
demo_cds_auth_lit_pfcg
{
key carrid,
carrname,
currcode,
url
};

DCL:

@MappingRole: true
define role demo_cds_role_inherited {
grant select on demo_cds_auth_inherited
inherit demo_cds_role_lit_pfcg or currcode = 'USD'; }

In this example data records with USD and EUR currency code will be showed.

6. Current user authorization demo example

DDL:

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 4/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Follow RSS feed Like


@AbapCatalog.sqlViewName: 'DEMO_CDS_USR'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_user
as select from
abdocmode
{
key uname,
key langu,
flag
};

DCL:

@MappingRole: true
define role demo_cds_role_user {
grant select on demo_cds_auth_user
where
uname ?= aspect user; }

In this example data records will be ltered based on user name accessing CDS view.

Conclusion of Part 1: we considered standard demo examples with di erent options, let’s try to create our own
CDS view with access control.

________________________________________________________________________________

Part II. Create a simple example based on PFCG authorizations

1. Create a our own CDS view by coping existing one:

@AbapCatalog.sqlViewName: 'ZDEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Demo access pfcg'
define view Zdemo_Access_Pfcg as select from scarr
{
key carrid,
carrname,
currcode,
url
};

Now if we open data preview in HANA Studio we will see all records. Access control doesn’t exist yet.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 5/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Follow RSS feed Like

2. Create our z-authorization objects in SU21 t-code:

For each object de ne authorization eld(s) and Activity eld, include in permitted activities 03 Display. In our
case we include CARRID eld in ZS_CARRID and CONNID in ZS_CONNID.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 6/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Follow RSS feed Like

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 7/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

3. Create access control for ZS_CARRID authorization object.


Follow RSS feed Like

@MappingRole: true
define role zdemo_access_pfcg {
grant select on Zdemo_Access_Pfcg
where (carrid) =
aspect pfcg_auth (zs_carrid, carrid, actvt='03'); }

If we open data preview in HANA studio we will not see any data.

4. Create a new role in PFCG and include authorization objects here. De ne what data based on selected elds
users should see. Don’t forget to generate pro le. Assign role to our user.

In rst case we will use only ZS_CARRID. We will use another object later in this post.

5. Go back to HANA studio to test authorization. Open data preview for our CDS.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 8/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Follow RSS feed Like

Now we see only records with de ned for Airline Company (CARRID) eld.

Note: If we open a view in ABAP Dictionary (SE11) the result is all data records.

Note: if we change annotation in DDL, activate CDS view for changes to be applied, we will see all records in
data preview once again. This means that a check is o .

@AccessControl.authorizationCheck: #NOT_ALLOWED

Conclusion of Part 2: We see how access control is working in simple case of selection from a table, let’s move
to analytic CDS views.

_____________________________________________________________________________

Part III. Access control for analytical CDS views with CUBE data category

1. Create a our own CDS view by coping existing one. This is CDS view with CUBE data category.

@AbapCatalog.sqlViewName: 'Z05_IFLIGHTAIRP' // Name of the CDS database view in t


@AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls the authoriz
@EndUserText.label: 'Flight by airport' // Translatable short text. Max 60cha
@VDM.viewType: #COMPOSITE // This is a COMPOSITE interface view
@Analytics.dataCategory: #CUBE // Makes it avaialble for analytics a
@Analytics.dataExtraction.enabled: false // No data extraction allowed as you

define view Z05_I_FlightByAirport as select from Z00_I_Flight // A CDS is implemented using a query
{ // No associations needed as these ar
// In the BASIC view we used alias to
// Also the associations from the oth
@ObjectModel.foreignKey.association: '_Airline' // Defines a foreignkey association f
key Z00_I_Flight.Airline, // Use the column Airline as a key fi

@ObjectModel.foreignKey.association: '_FlightConnection' // Defines a foreignkey association f


key Z00_I_Flight.FlightConnection, // Use the column FlightConnection as
key Z00_I_Flight.FlightDate, // Use the column FlightDate as a key

@EndUserText.label: 'Airport From' // Add an enduser label to make sure


@ObjectModel.foreignKey.association: '_AirportFrom' // Defines a foreignkey association f

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 9/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

key Z00_I_Flight._FlightConnection.AirportFrom, // Use the column _FlightConnection.A


Follow RSS feed Like

@EndUserText.label: 'Airport To' // Add an enduser label to make sure


@ObjectModel.foreignKey.association: '_AirportTo' // Defines a foreignkey association f
key Z00_I_Flight._FlightConnection.AirportTo, // Use the column _FlightConnection.A

@Semantics.currencyCode: true // This tells the column AirlineUsedC


key Z00_I_Flight.Currency, // Use the column Currency as a key f

@ObjectModel.foreignKey.association: '_AircraftType' // Defines a foreignkey association f


key Z00_I_Flight.AircraftType, // Use the column AircraftType as a k

@Semantics.amount.currencyCode: 'Currency' // The annotated field contains a mon


@DefaultAggregation: #MIN // The field is aggregated using MIN
Z00_I_Flight.FlightPrice, // Use the column FlightPrice
@DefaultAggregation: #SUM // The field is aggregated using SUM
Z00_I_Flight.MaximumNumberOfSeats, // Use the column MaximumNumberOfSeat
@DefaultAggregation: #SUM // The field is aggregated using SUM
Z00_I_Flight.NumberOfOccupiedSeats, // Use the column NumberOfOccupiedSea
@Semantics.amount.currencyCode: 'Currency' // The annotated field contains a mon
@DefaultAggregation: #SUM // The field is aggregated using SUM
Z00_I_Flight.CurrentBookingsTotalAmount, // Use the column CurrentBookingsTota

/* Associations */
Z00_I_Flight._AircraftType, // The fields from the association _A
Z00_I_Flight._Airline, // The fields from the association _A
Z00_I_Flight._FlightConnection, // The fields from the association _F
Z00_I_Flight._FlightConnection._AirportFrom, // This needs to be added because air
Z00_I_Flight._FlightConnection._AirportTo // This needs to be added because air
}

Data preview for this CDS view in HANA Studio. Number of rows is 4894.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 10/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Follow RSS feed Like

2. De ne access control for CDS view with CUBE data category.

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'


@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline ) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '03' );

3. In part II of this post we included ZS_CARRID authorization object to our user. Check result in data preview in
HANA Studio. Number of rows is 530.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 11/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Follow RSS feed Like

4. Check result in RSRT t-code. Number of rows is 530. The same result.

5. Check result in BO Analysis for Excel. The result is the same, only selected Airlines are availible for our user.

Note. There is no transnational data for AF Airline, that’s why it is not shown at the screen above.

________________________________________________________________________________

Part IV. Access control for analytical query CDS views

1. Create an analytical query CDS view in CUBE CDS from Part III.

@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ' // Name of the CDS database view in t


@AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls the authorizat
@EndUserText.label: 'Available Flights' // Translatable short text. Max 60cha
@VDM.viewType: #CONSUMPTION // This is a CONSUMPTION view

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 12/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

@Analytics.query: true // By tagging the CDS view as an anal


Follow RSS feed Like
@OData.publish: true // Generates a suitable OData service

define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport // A analytical query


// Take care with ODa
{
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums app
Z05_I_FlightByAirport.Airline, // Use the column Airline
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums app
Z05_I_FlightByAirport.FlightConnection, // Use the column FlightConnection
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums app
Z05_I_FlightByAirport.FlightDate, // Use the column FlightDate
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // C
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums app
@EndUserText.label: 'Departure Airport' // Add an human readable enduser labe
Z05_I_FlightByAirport.AirportFrom, // Use the column AirportFrom
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // C
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums app
@EndUserText.label: 'Arrival Airport' // Add an human readable enduser labe
Z05_I_FlightByAirport.AirportTo, // Use the column AirportTo
Z05_I_FlightByAirport.Currency, // Use the column Currency
Z05_I_FlightByAirport.AircraftType, // Use the column AircraftType
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums app
Z05_I_FlightByAirport.FlightPrice, // Use the column FlightPrice
Z05_I_FlightByAirport.MaximumNumberOfSeats, // Use the column MaximumNumberOfSeat
Z05_I_FlightByAirport.NumberOfOccupiedSeats, // Use the column NumberOfOccupiedSea
@DefaultAggregation: #FORMULA // Important to know for formular pla
// view aggragation, so it's not on a
// as they cannot be evaluated at the
@EndUserText.label: 'Available Seats'
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums app
Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as Numbe
}

2. Data preview for this CDS view in HANA Studio. Number of rows is 4894. It seem that CDS view analytical
query is not use Cube CDS view authorization, but it is not true. You don’t need to create additional access
control for analytical query CDS view.

3. Check result in RSRT or BO Analysis for Excel. The results demonstrate that authorizations of Cube CDS view
are used in analytical query.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 13/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Follow RSS feed Like

Note: It is not required to create any variables in analytical query de nition, like we did in BEx query with
authorization characteristics.

4. Modify access control for Cube CDS view. Add eld authorization object ZS_CONNID instead of ZS_CARRID.

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'


@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( FlightConnection) = aspect pfcg_auth ( ZS_CONNID,
CONNID,
actvt = '03' );

The analytical query result is more strict (look at ZS_CONNID de nition in Part II Step 4). Now number of rows
is 212 in my case.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 14/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Follow RSS feed Like

________________________________________________________________________________

Part V. UNION or INTERSECTION of authorizations

1. Intersection of authorizations with “AND”. New authorization ZS_FLDAT was de ned for 3 days range only
(04.02.2015 – 06.02.2015). DCL modi cation for intersection:

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'


@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '03' ) AND
(FlightDate ) =
aspect pfcg_auth ( ZS_FLDAT,
FLTDATE,
actvt = '03' );

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 15/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Follow RSS feed Like

2. Union of authorizations with “OR”:

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'


@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '03' ) OR
( FlightDate ) =
aspect pfcg_auth ( ZS_FLDAT,
FLTDATE,
actvt = '03' );

3. Two elds in one authorization object is like intersection.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 16/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Follow RSS feed Like

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'


@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline, FlightDate) =
aspect pfcg_auth ( ZS_NEW,
CARRID,
FLTDATE,
actvt = '03' );

Notes: Don’t forget to de ne authorizations at Cube CDS view level, not analytical query level. If you de ne the
same authorizations from Part V at analytical query level:

In Data Preview of SAP HANA Studio the results seem to be correct


In RSRT, BO Analysis for Excel and other tools using OLAP Engine authorizations from Cube CDS view are
used (if de ned).

Notes: For analytical query for results in HANA Studio data preview showed all data, to correct this create
access control for analytical query:

@MappingRole: true
define role Z05_ROLE_2 {
grant select on Z05_C_FlightByAirportQuery
inherit Z05_ROLE; }

Conclusion for Part V: You can de ne intersection or union of authorizations for Analytical CDS views.
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 17/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Follow RSS feed Like

Thank you for attention!

Alert Moderator

Assigned tags

ABAP Development | SAP S/4HANA | abap cds | abap cds views | authorizations |

View more...

Related Blog Posts

How to make access control in ABAP CDS.


By Tarun Singh , Feb 10, 2021
ABAP Core Data Services – Part 1(ABAP CDS Entities)
By Tushar Sharma , Sep 09, 2017
Standard DEMO Examples of ABAP CDS views
By Maksim Alyapyshev , Feb 21, 2017

Related Questions

CDS view authorization - Is existing SAP ECC authorization enough?


By Aleksandrs Frolovs , Aug 21, 2019
Calculation views or HANA CDS views
By Sreekanth Surampally , Oct 30, 2017
Authorization Variable on BEx query created on CDS view
By Ahmed Riyaz , Oct 26, 2018

23 Comments

You must be Logged on to comment or reply to a post.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 18/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Follow | Post author


Maksim Alyapyshev RSS feed Like

February 28, 2017 at 6:53 am

Additional Note:

If you exclude from analytical query de nition elds by which authorizations are checked all will be ltered
correctly.

Like(0)

Former Member

March 2, 2017 at 11:13 pm

Great work Maksim!

I was looking for help & examples around this .

Like(0)

Florian Henninger

March 6, 2017 at 9:13 pm

Nice Work.

I like the owing style of the examples. Not something really new, but would suggest that it is easier to read
through your blog than working through the o cial help:-)

Like(0)

Maksim Alyapyshev | Post author

March 7, 2017 at 12:36 pm

Thank you, Florian!

Like(0)

Horst Keller

March 20, 2017 at 1:15 pm

Just for the sake of completeness, here’s the o cial help (where part one can also be found):
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 19/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

https://help.sap.com/http.svc/rc/abapdocu_751_index_htm/7.51/en-US/index.htm?
Follow
le=abencds_authorizations.htm RSS feed Like

Praise for extending it to more real life examples ...

Like(0)

Praneeth Chintapalli

May 10, 2017 at 9:57 am

Great Job.

Like(0)

Cemal Aslan

May 19, 2017 at 9:24 pm

Thumbs up, that's what I was looking for. Thank you.

Like(0)

Marcelo Berger

May 31, 2017 at 4:31 pm

Great blog! Thank you!

Like(0)

Former Member

June 29, 2017 at 2:02 pm

Awesome Blog! This is what I was looking for.

Like(0)

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 20/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Sudarshan Survepalli
Follow RSS feed Like
August 16, 2017 at 4:06 pm

Thank you really helpful for starters.

Like(0)

Maksim Alyapyshev | Post author

November 10, 2017 at 9:51 am

Additional Note 2:

If you are going to use ABAP CDS view in other ABAP logic, e.i. in ABAP reports I recommend you to look at
great Horst Keller blog:

https://blogs.sap.com/2015/12/07/abap-news-for-release-750-abap-cds-access-control/

Brie y:

In ABAP report use select from entity name (name after de ne view), not from DB view name (name
in @AbapCatalog.sqlViewName: 'DB_view') if you want DCL to be checked and data ltration occurred.
If you de ne @AccessControl.authorizationCheck: #CHECK or @AccessControl.authorizationCheck:
#NOT_REQUIRED it will work.
If you modify annotation in DDL to @AccessControl.authorizationCheck: #NOT_ALLOWED,then DCL will be
ignored.

Like(0)

Manish Majumdar

November 5, 2019 at 6:19 pm

Hello Maksim,

Appreciate your time in getting the blog. I have two questions around the DCLs:

1. uname ?= aspect user

The above syntax of aspect user, does it work on 7.50?

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 21/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

2. Aspect pfcg_auth does it work on 7.50?


Follow RSS feed Like

Like(0)

Maksim Alyapyshev | Post author

November 6, 2019 at 7:04 am

Hi!

1. Seems to be not available in 7.5.


2. Available.

Link to documentation:

https://help.sap.com/viewer/f2e545608079437ab165c105649b89db/7.5.16/en-
US/707332186bf41014b5040bee4e204223.html

Also try to create new DCL (if you have system), in template there are useful comments. There are all available
features.

BR, Maksim

Like(0)

K Shiva

December 13, 2019 at 6:13 pm

Hello Maksim,

This blog is very useful. I have one questions around the DCLs:

I have created an Analytical ori application with the back end implementation as SQL view of a CDS.

I have done this by adding the sql name in the X-Query of the URL Parameters in the target mapping of the tile
in Launchpad con guration.

Now i have created the DCL for the CDS view and the data when i execute the cds is getting ltered by DCL but
the data in the ori app is not getting ltered.

Seems the SQL View is not applying the DCL while rendering result on Analytical application.

Now how can i apply the DCL on the Analytical application which is using SQL view of a cds ?

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 22/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

or how can i achieve this ?


Follow RSS feed Like
Like(0)

zaza Wang

January 5, 2020 at 1:13 pm

Great post, Thank you .

Like(0)

viswanath thammineni

May 6, 2020 at 4:47 am

Great Post..thank you.

i have few more doubts like

How to enhance/extend standard Access Control by adding new authorization object?

Whether is it possible or not?

Like(0)

Maksim Alyapyshev | Post author

May 6, 2020 at 5:56 am

Hi,

As I know It is not possible to enhance Access Control, but you could create an additional one.

There should work as AND.

BR,

Maksim

Like(0)

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 23/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Dmitrii Sharshatkin
Follow RSS feed Like
December 15, 2020 at 10:42 am

Hi Maksim,

I’ve created 2 ACs for one CDS.

But authorizations are taken using OR condition.

Is it then a bug ?…

Thanks, Dima

Like(0)

Olivier Souksamran

December 15, 2020 at 11:25 am

Dmitri,

This is actually acting like you experienced it. Maksim said it "should work as AND" but unfortunatly it does not.

If one of AC is passed, then access is granted to the exposed data.

Regards,

Olivier

Like(0)

Dmitrii Sharshatkin

December 15, 2020 at 1:17 pm

Hi Olivier,

thanks for clarifying. Yes, indeed, they are joined with "OR" by default.

But I've discovered, in 7.54 (S/4 1908), there is an option 'COMBINATION MODE', which brings required
functionality:

https://help.sap.com/doc/abapdocu_754_index_htm/7.54/en-US/index.htm?
le=abencds_dcl_role_cond_rule.htm

Regards, Dima

Like(1)

Oli i S k
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 24/25
2/15/2021 ABAP CDS views with Authorization based on Access Control | SAP Blogs
Olivier Souksamran
December 15, 2020 at 1:33 pmFollow RSS feed Like

Dear Dmitrii,

Thanks for sharing. My system is still in 1809

Regards,

Olivier

Like(0)

Alexandra Marinescu

January 26, 2021 at 4:15 pm

That’s very useful, Dima! Thanks for sharing!

Like(0)

Pranav Kapoor

June 14, 2020 at 7:32 am

Great post.......Thank you

Like(0)

Find us on

Privacy Terms of Use

Legal Disclosure Copyright

Trademark Cookie Preferences

Newsletter Support

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 25/25

You might also like