Ansicht
Dokumentation

ABENCDS_F1_COND_PFCG_MAPPING - CDS F1 COND PFCG MAPPING

BAL_S_LOG - Application Log: Log header data   Fill RESBD Structure from EBP Component Structure  
This documentation is copyright by SAP AG.

- DEFINE ROLE, pfcg_mapping

... ( ... { element1$[, element2 ...$] } ... )
        =|?= ASPECT pfcg_auth
               ( ... PFCG_MAPPING = pfcg_mapping ...  ) ...

Effect

Assigns an element list specified in curly brackets { element1$[, element2 ...$] } to a PFCG mapping pfcg_mapping in the definition of a PFCG condition.

• The element list of the left side is a comma-separated list of one or more directly specified CDS elements of the CDS entity for which the access condition is defined. An element element can also be specified using a path expression path_expr and must have one of the valid data types.

• After PFCG_MAPPING =, the right side must specify a PFCG mapping pfcg_mapping defined using DEFINE PFCG_MAPPING as part of a CDS access policy.

When the PFCG condition is transformed into specific conditions, the PFCG mappings are handled as follows by CDS access control:

• The authorization fields specified in the comma-separated list of the definition of the PFCG mapping are used as input fields of the mapping pfcg_mapping.

• The output fields of the PFCG mapping are compared with the CDS elements of the element list assigned to the PFCG mapping in the PFCG condition.

The other conditions of the PFCG condition are created as described there. The PFCG condition is true if the conditions for the individually specified CDS elements and the PFCG mapping are met. If multiple authorizations exist for a single authorization field and there are individually specified CDS elements alongside the PFCG mapping, the PFCG mapping is resolved for each individual authorization.

Notes

• PFCG mappings enable those entries in a CDS entity allowed for a particular user to be specified using high-order structural characteristics.

• Using PFCG mappings can negatively affect performance, particularly if individual CDS elements are specified simultaneously and if multiple authorizations exist for a single authorization field.

• If the PFCG condition has the addition IN SCENARIO, the PFCG mapping used in this place must also have this addition and name the same scenario.

• Optional elements with DEFAULT TRUE are removed from the element list of the PFCG mapping. If this applies to all elements, a PFCG mapping with empty element list emerges (such cannot be created literally in an access control yet). The runtime result will be an SQL EXISTS on the mapping entity which is supplied from the PFCG role data, but without relation to the protected entity.

Example

The following role uses the PFCG mapping demo_cds_pfcg_mapping defined in the example for DEFINE PFCG_MAPPING in a PFCG condition:

The program DEMO_CDS_AUTH_PFCG_MAPPING accesses the view DEMO_CDS_AUTH_PFCG_MAPPING and an SQL trace demonstrates how the PFCG mapping works.

SUBST_MERGE_LIST - merge external lists to one complete list with #if... logic for R3up   BAL_S_LOG - Application Log: Log header data  
This documentation is copyright by SAP AG.

Length: 5624 Date: 20240420 Time: 104507     sap01-206 ( 91 ms )