Ansicht
Dokumentation

ABENCDS_ACCESS_CONTROL - CDS ACCESS CONTROL

BAL_S_LOG - Application Log: Log header data   TXBHW - Original Tax Base Amount in Local Currency  
This documentation is copyright by SAP AG.

- Access Control

ABAP CDS enables access control based on a data control language (CDS DCL). Access control in ABAP CDS further restricts the data returned from a CDS entity in ABAP CDS. CDS access control is based on the following aspects:

• CDS roles defined using the CDS DCL statement DEFINE ROLE. A CDS role is not assigned to individual users and is evaluated for every user instead.

• Access rules defined for CDS entities in a CDS role. Access rules can define conditions, but also provide full access. In a CDS role, access rules can be inherited from another CDS entity or rule.

• Access conditions defined in an access rule for the elements of CDS entities. Access conditions are based primarily on literal values, on classic authorizations of the current users, or on data from other CDS entities defined by a selection with the current user (self-defined aspects).

If a CDS role with access rules is defined for a CDS entity, the access conditions are evaluated implicitly in each read, unless access control is switched off using the value #NOT_ALLOWED for the annotation @AccessControl.authorizationCheck or using the addition WITH PRIVILEGED ACCESS in the FROM clause of an query. If access control is enabled, only that data is read that meets the access conditions.

Every CDS role is defined in its own separate piece of DCL source code. These pieces of DCL source code can only be edited in the ABAP Development Tools (ADT). DCL source code can also be displayed in Repository Browser in ABAP Workbench. The DCL source code of a CDS role is edited in a different editor than DDL, DDLA, and DDLX source code. The ADT documentation describes how the different types of source code are created.

Notes

• CDS access control provides an additional method for checking authorizations in the SAP authorization concept. Authorizations in the SAP authorization concept are based on authorization objects and are granted in the classic role maintenance (transaction PFCG). In classic authorization checks, the authorizations are either checked implicitly (such as when transactions are called) or explicitly using the statement AUTHORITY-CHECK. CDS access control expands these checks to include implicit evaluations of access conditions.

• It is advisable to continue to use classic authorization checks for start authorizations (used to check whether a user can start an application in the first place). CDS access control can be used within an application to perform authorization checks (used to check the authorization of a user as defined by the data model and the data in question).

• When CDS entities are accessed using , ABAP programs cannot distinguish whether data is not read because it does not exist or because they are not allowed by CDS access control.

• CDS access control modifies the database selection performed by the application code. Although the amount of data returned is reduced, the additional filter work may have an affect on the statement performance. The effect depends on the complexity of the access control, the complexity of the protected CDS entity, the amount of data in the PFCG role data assigned to the user and the position of the protected entity in the concrete database statement.

• CDS roles can be defined for CDS views, CDS hierarchies, CDS transactional queries, and CDS table functions. Implicit access control is applied only when a CDS entity of this type is accessed directly using .

• When a CDS entity is used as a data source in another CDS entity, its access controls are not considered when the wrapping entity is accessed. CDS access control only applies to the entry level entities accessed by ABAP SQL.

• CDS access control does not work for client-independent access. This is why in , the addition USING or the obsolete addition CLIENT SPECIFIED can only be used when accessing CDS entities where access control is disabled.

• In emergency mode (user SAP*), CDS access control is disabled. This not only affects PFCG conditions but also literal access conditions and self-defined aspect conditions.

• Access control can be disabled in particular in the following ways:

• If access control is not applicable in general (for example because the unit in question is a technical unit), the annotation @AccessControl.authorizationCheck with the value #NOT_ALLOWED can be specified in its CDS data definition.

• If access control is not applicable only in specific places, the addition WITH PRIVILEGED ACCESS can be used in the FROM clause of an query.

• Access control can be disabled for an entity (without making modifications) by creating a full access rule for the entity in a customer CDS role.

• A CDS entity can also be used as a data source in another CDS entity for which access control is disabled.

SUBST_MERGE_LIST - merge external lists to one complete list with #if... logic for R3up   CL_GUI_FRONTEND_SERVICES - Frontend Services  
This documentation is copyright by SAP AG.

Length: 8790 Date: 20240420 Time: 031611     sap01-206 ( 112 ms )