Kontakt

Ansicht
Dokumentation

ABENCDS_F1_COND_INHERIT - CDS F1 COND INHERIT

ABENCDS_F1_COND_INHERIT - CDS F1 COND INHERIT

Addresses (Business Address Services)   RFUMSV00 - Advance Return for Tax on Sales/Purchases  
This documentation is copyright by SAP AG.
SAP E-Book

- DEFINE ROLE, inherit_condition

... ${ ${ INHERIT parent_role FOR GRANT SELECT ON cds_entity $}
  $| ${ INHERITING CONDITIONS FROM
       ${ ENTITY cds_entity $[DEFAULT TRUE$|FALSE$] $}
       $| SUPER $} $}
    $[ replacing $] ...

Variants:

1. ... INHERIT parent_role FOR GRANT SELECT ON cds_entity

2. ... INHERITING CONDITIONS FROM ENTITY cds_entity ...

3. ... INHERITING CONDITIONS FROM SUPER

Effect

Inheritance condition as part of an access condition cds_cond in an access rule of the statement DEFINE ROLE in CDS DCL. There are three variants:

  • The variant INHERIT FOR GRANT applies the access conditions from a different CDS role.
  • The variant INHERITING CONDITIONS FROM ENTITY applies the access conditions from a CDS entity.
  • The variant INHERITING CONDITIONS FROM SUPER applies the access conditions from roles that are redefined by the current role.

In all variants, the inherited conditions can be altered by replacing before they are applied to the CDS entity of the current access control.

Notes

  • The inherited access conditions are parenthesized implicitly. It is not necessary to set parentheses explicitly.
  • An inheritance condition cannot be negated using NOT.
  • Full access rules can be inherited and are represented in the resulting conditions as the Boolean predicate TRUE.
  • Using inheritance can cause cycles which result in syntax errors.
  • Both inheritance flavors consider access rules that are declared in the same access role as the inheritance statement. The access rule which contains the inheritance statement is excluded. This feature allows the demonstration of inheritance within a single access control document for test purposes.

Variant 1

... INHERIT parent_role FOR GRANT SELECT ON cds_entity


Effect

This variant of an inheritance condition copies the access rules declared in the CDS role parent_role for the CDS entity cds_entity. If the role parent_role has multiple access rules for the same CDS entity cds_entity, they are inherited using conditions joined by a logical "or".

The inherited access conditions inherited from parent_role must match the current CDS entity.

Notes

  • This variant of inherited access rules is used to apply the access conditions for CDS entities that are used as data sources in the current CDS entity.
  • It is still being established whether the current CDS entity contains the CDS entity cds_entity as a data source for which the inherited access conditions are defined in the role parent_role.
  • Any changes to that CDS entity cds_entity for which the inherited access conditions are defined in the role parent_role can produce errors in the inheriting roles.
  • Unlike the obsolete inherited access rules, the existing role parent_role can have multiple access rules. The addition FOR GRANT SELECT ON cds_entity selects the access conditions to inherit.

Example

The following CDS view uses the CDS view DEMO_CDS_AUTH_LIT_PFCG from the example for conditional access rules as the data source:

The view DEMO_CDS_AUTH_LIT_PFCG is assigned to the CDS role DEMO_CDS_ROLE_LIT_PFCG. The access conditions for the CDS entity DEMO_CDS_AUTH_LIT_PFCG of this role are inherited in the following CDS role and hence pass these conditions to the view DEMO_CDS_AUTH_INHERITED. An additional literal condition allows access to another currency.

The language element INHERIT FOR GRANT SELECT ON inherits the access conditions of the existing role for the specified view and joins them with the additional condition. Expressed explicitly, the resulting access condition looks like this:

... where (carrid) =
       aspect pfcg_auth (s_carrid, carrid, actvt='03') and
              currcode = 'EUR' or
              currcode = 'USD' ...

Variant 2

... INHERITING CONDITIONS FROM ENTITY cds_entity $[DEFAULT TRUE$|FALSE$] $[REPLACING ...$]


Addition:

... DEFAULT TRUE$|FALSE

Effect

From a CDS entity cds_entity, this variant of an inheritance condition inherits the access roles defined for it using CDS roles and inserts them at the location of the inheritance condition. This joins the access rules of multiple CDS roles using the same algorithm which also applies to access to the CDS entity cds_entity, that is, COMBINATION MODE and REDEFINITION are respected.

If the CDS entity does not have any access conditions yet, a syntax warning occurs and the expression is replaced with the Boolean predicate TRUE. You can avoid this warning by the DEFAULT addition.

The inherited access conditions must match the CDS entity for which the current access rule is defined.

  • If an inherited access condition does not match the current CDS entity, for example because the wrong field or path is specified, all access rules of the parent CDS role are ignored.
  • If there is no full access rule for the entity in this case, the current CDS role cannot be activated.

  • If there is a full access rule for the entity, the CDS role can be activated but a syntax check warning occurs.

Note

An annotation @AccessControl.authorizationCheck in the source code of the parent CDS entity cds_entity is ignored by INHERITING CONDITIONS. The access rules are passed to the current CDS role even if the value #NOT_ALLOWED is specified.

Addition

... DEFAULT TRUE$|FALSE

Effect

If the source CDS entity does not have a CDS role, this addition replaces the expression INHERITING CONDITIONS ... with the Boolean predicate TRUE or FALSE.

Notes

  • If specified for the variant INHERITING CONDITIONS, DEFAULT TRUE is designed to inherit access conditions from other CDS entities regardless of whether a CDS role is already defined for them or not.
  • If the variant INHERITING CONDITIONS is the only access condition of an access rule and no CDS role is defined for the CDS entity cds_entity, the rule is applied like a full access rule if DEFAULT TRUE is specified and like a rule that generally blocks access if DEFAULT FALSE is specified.

Variant 3

... INHERITING CONDITIONS FROM SUPER


Effect

This variant is possible only if the access rule has the addition REDEFINITION and only if the inherited CDS entity has access controls.

Instead of this condition, those conditions are used that would have been applied by the access controls disabled by REDEFINITION.






Fill RESBD Structure from EBP Component Structure   RFUMSV00 - Advance Return for Tax on Sales/Purchases  
This documentation is copyright by SAP AG.

Length: 14103 Date: 20240425 Time: 172730     sap01-206 ( 171 ms )