Ansicht
Dokumentation
ABENNEWS-756-CDS_ACCESS_CONTROL - NEWS-756-CDS ACCESS CONTROL
BAL Application Log Documentation Fill RESBD Structure from EBP Component StructureThis documentation is copyright by SAP AG.
Access Control in Release 7.56
Graceful Behavior in Access Condition Inheritance for Missing Dictionary Elements
From this release on, authors of access controls can mark a subset of the CDS elements used in their access conditions as optional, so that CDS entities which inherit their access conditions are not affected by a Day-1-impact any more.
GRANT SELECT ON cds_entity WITH OPTIONAL ELEMENTS (
element1 DEFAULT (TRUE|FALSE), ...) WHERE ...
Quantifier Operators
With the new addition ALL, access conditions can express that access shall only be granted when from a set-valued association all values satisfy the condition.
WHERE ALL toItem.State = 'A'
To accompany this use case, the BYPASS WHEN operator has been extended to literal conditions also.
A dedicated operator EXISTS can be used when different access conditions using the same set-valued association shall not be coupled in their fields by means of a common join expression.
Unified Syntax for Authorization Objects, Authorization Fields and SACF Scenario Names
At all locations of access controls, references to authorization objects, authorization fields, and SACF scenario names can be written in identifier syntax when they comply with it and in string syntax with single apostrophes as an alternative.
Before:
( ... ) = ASPECT PFCG_AUTH( S_OBJ IN SCENARIO 'THESCENARIO' )
Now allowed:
( ... ) = ASPECT PFCG_AUTH( S_OBJ IN SCENARIO TheScenario )
Additional Filtering of Self-Defined Aspect Usage
When using self-defined aspects, these can now denominate an arbitrary set of their elements (path expressions are supported) as filter element. These filter elements can by referenced when using the self-defined aspect in an access condition.
DEFINE ASPECT ... AS SELECT FROM ...
WITH USER ELEMENT ...
WITH FILTER ELEMENTS ( element1, element2 AS alias2 )
{
...
}
WHERE ( ... ) = ASPECT ... FILTER BY ( element1 = 'X' OR
alias2 IS NOT NULL )
Condition Replacement for Role-Based Inheritance
The REPLACING section formerly only available to entity-based inheritance
INHERITING CONDITIONS FROM ENTITY cds_ntity
is now also available for role-based inheritance
INHERIT role FOR GRANT SELECT ON cds_entity
Generic Element Replacement for Condition Inheritance
The REPLACING section of condition inheritance now supports a generic replacement step to replace an arbitrary field or association of the inheritance source with an arbitrary field or association of the inheritance target.
WHERE INHERITING CONDITIONS FROM ENTITY Source REPLACING {
ELEMENT Element1OfSource WITH Element1OfTarget,
ELEMENT Assoc1OfSource WITH Assoc1[r = 4].Assoc2OfTarget,
ELEMENT Assoc2(p : $parameters.p1)[ q = 1].Field WITH MyShortField }
Enabling/Disabling of Access Conditions Based on the State of SACF
Respecting settings in the switchable authorization framework (SACF) was already possible for dedicated PFCG conditions:
ASPECT PFCG_AUTH ( S_OBJECT IN SCENARIO ... )
Now, those settings can be used to enable or disable entire condition sets:
GRANT SELECT ON cds_entity
WHERE
SACF_CHECK_IN_USE (NAME => NEW_AUTH_SWITCH ) IS INITIAL
AND
( element ) = ASPECT PFCG_AUTH( OLD_AUTH, F )
OR
SACF_CHECK_IN_USE( NAME => NEW_AUTH_SWITCH ) IS NOT INITIAL
AND
( element ) = ASPECT PFCG_AUTH( NEW_AUTH, F );
Access Conditions for CDS Hierarchies Based on Elements of the Hierarchy Directory
For CDS hierarchies, access control was restricted to the use of conditions not resulting in database filtering. Now elements located in the declared hierarchy directory
DIRECTORY ... FILTER BY
can be used to formulate such conditions.
Consideration of Special Runtime Modes
When operating the system with the emergency user SAP*, CDS access control is now deactivated.
During processing of an update task, PFCG conditions are now considered as fully authorized.
CL_GUI_FRONTEND_SERVICES - Frontend Services General Material Data
This documentation is copyright by SAP AG.
Length: 7391 Date: 20240424 Time: 002251 sap01-206 ( 69 ms )
