Kontakt

Ansicht
Dokumentation

ABENCDS_F1_DCL_FUNCTION - CDS F1 DCL FUNCTION

ABENCDS_F1_DCL_FUNCTION - CDS F1 DCL FUNCTION

BAL Application Log Documentation   Vendor Master (General Section)  
This documentation is copyright by SAP AG.
SAP E-Book

- DEFINE ROLE, dcl_function

... ${ SACF_CHECK_IN_USE( NAME => scenario_name $[, OBJECT => auth_object $] )
          IS $[NOT$] INITIAL $}
  $| ${ OPTIONAL_ELEMENT_EXISTS( NAME >= element )
          IS $[NOT$] INITIAL $} ...

Variants:

1. ... SACF_CHECK_IN_USE ...

2. ... OPTIONAL_ELEMENT_EXISTS ...

Effect

DCL functions are evaluated in the ABAP application server before the access conditions are sent to the database.

They evaluate to either logical TRUE or logical FALSE and then may result in reduction of the logical expression tree of the access control.

Note

The effect of the DCL function applies at runtime only. Syntactical correctness of the access control must be always given.

For example, in a condition like dcl_function AND element IS NULL a syntax error will appear when element does not exist, even when the dcl_function at the time of compilation behaves like a logical FALSE.

Variant 1

... SACF_CHECK_IN_USE ...


Effect

Using this DCL function, the state of switchable authorization checks can be queried and used in an access control to enable or disable condition blocks.

The function behaves like the ABAP method CL_SACF=>SACF_CHECK_IN_USE with its parameters ID_NAME and ID_OBJECT. The returned value can only be tested by the IS $[NOT$] INITIAL operator:

  • SACF_CHECK_IN_USE( ... ) IS INITIAL is TRUE when the given scenario (eventually specifically for the given authorization object) is not active, that is, an authorization check switched by this scenario behaves like full authorization.
  • SACF_CHECK_IN_USE( ...) IS NOT INITIAL is TRUE when the given scenario (eventually specifically for the given authorization object) is active, that is, an authorization check switched by this scenario is executed based on the users authorizations.

Example

GRANT SELECT ON cds_entity
  WHERE
    SACF_CHECK_IN_USE (NAME => NEW_AUTH_SWITCH ) IS INITIAL
      AND
    ( element ) = ASPECT PFCG_AUTH( OLD_AUTH, F )
  OR
    SACF_CHECK_IN_USE( NAME => NEW_AUTH_SWITCH ) IS NOT INITIAL
      AND
    ( element ) = ASPECT PFCG_AUTH( NEW_AUTH, F );

This access control realizes a migration from an old authorization object OLD_AUTH to a new authorization object NEW_AUTH based on the SACF scenario NEW_AUTH_SWITCH. As soon as this scenario is activated, the old authorization object is no longer considered.

Note

When you only need to introduce new authorization objects without the need to instantly disable the evaluation of a predecessor, the regular syntax addition to PFCG conditions is preferred:

( element ) = ASPECT PFCG_AUTH( NEW_AUTH IN SCENARIO NEW_AUTH_SWITCH, F)

Variant 2

...  OPTIONAL_ELEMENT_EXISTS ...


Effect

With this DCL function, existence of the given CDS element in the protected entity can be queried at runtime. Based on the outcome of the check, larger condition blocks in the access control can then be enabled or disabled.

It is an extension to the concept of optional elements (WITH OPTIONAL ELEMENTS) and allows application not only for newly introduced elements, but also for replacement scenarios in which an element is semantically replaced by another element.

Notes

  • The element which is queried in the function must be declared as optional element.
By using the function with an element, you explicitly make clear that the element may be missing, therefore declaring it optional is mandatory to avoid syntactically wrong access controls when the element is missing.
  • The element which is queried in the function must be used at least once outside in the access control in a condition statement.

Example

GRANT SELECT ON cds_entity
   WITH OPTIONAL ELEMENTS (itemState DEFAULT FALSE )
     WHERE
       OPTIONAL_ELEMENT_EXISTS( NAME => itemState ) IS INITIAL
         AND
          toItem.state = 'A'
     OR
       OPTIONAL_ELEMENT_EXISTS( NAME => itemState ) IS NOT INITIAL
         AND
          itemState = 'A';

This access control formerly realized access control using an association.

To increase the selection performance, this association should be replaced by a replica of the used element in the protected entity itself (itemState).

As this element is not instantly available in CDS entities which inherit their access conditions from this entity, the new element is introduced as optional element (the default value FALSE is secure by default, but in the current case not used at runtime due to the DCL function), and in this case, the former access control should apply.

As soon as the new element becomes available, it should be used instead and the former one no longer be used at all (to avoid performance degradation due to join evaluation).






TXBHW - Original Tax Base Amount in Local Currency   rdisp/max_wprun_time - Maximum work process run time  
This documentation is copyright by SAP AG.

Length: 8267 Date: 20240512 Time: 120708     sap01-206 ( 68 ms )