Community
Application Development and Automation Blog Posts
Learn and share on deeper, cross technology development topics such as integration and connectivity, automation, cloud extensibility, developing at scale, and security.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Access Control For CDS Views

vallabha_malekar
Discoverer
‎2024 Jul 31 10:29 PM
21,362

What is DCL ? 

DCL stands for Data Control Language. DCL is used to define and manage access controls and authorizations for CDS views. It specifies which users or roles have access to the data exposed by a CDS view and what type of operations they can perform on this data. 

What are the Scenarios we are going to perform for cds views by applying DCL:- 

1.If 2 role conditions are true then only I want to apply authorization. How? 

2.we have 2 roles, i want to ignore first role. How? 

3.What is Inherited_Rule? 

4.In 2 roles,if one of the role condition is true means I need to apply authorization so how to apply it ? 

CDS DCL (Data control Language): 

  • It will further restrict the data from CDS Entity. 
  • A CDS role is not assigned to individual users and is evaluated for every user instead. 
  • Define role is used to restrict the user for further entity. 

Here in CDS DCL we have access rules. 

Access rules: 

  • Access rules can define access conditions but also provide full access. 

     Access conditions are based primarily on 

  •  Literal values 
  •  On classic authorizations of the current users  
  • On data from other CDS entities defined by a selection with the current user (self-defined aspects). 

vallabha_malekar_0-1721697292901.png

  Access Control Annotation : -      

  •  The access conditions are evaluated implicitly in each ABAP SQL read. 
  •  Based on @ AccessControl.authorizationCheck 

           1.CHECK (Default value)    

           2.NOT_REQUIRED 

           3.NOT_ALLOWED 

  •  If access control is enabled, only that data is read that meets the access conditions.          

   @ACCESSCONTROL AUTHORIZATIONCHECK: CHECK: 

  • Normally by default it is check only. 
  •  Whenever we give this annotation as check, when we call this CDS view, whatever we defined the DCL that will be evaluated each time. 
  • If access control is enabled,only that data is read that meets the access conditions. 
  • If we put @ACCESSCONTROL AUTHORIZATIONCHECK: CHECK and If we don’t created the DCL for particular CDS view that time we will get the warning like ‘DCL is not exist’ so, to avoid this we can give ‘NOT_REQUIRED’.
  •  vallabha_malekar_1-1721697553246.png
    • If you have the DCL and You don’t want access CDS entity, then you have to give NOT_ALLOWED. 
    • If access control is enabled, only that data is read, that meets the access conditions with Privileged access. 

    How we can disable access control: 

    • We are created DCL, but I don’t want to put whenever I access data from CDS entity, I don’t want to put DCL at system, For this we have to put annotation as NOT_ALLOWED. Then it will give access to every user. 
    • Whenever we access particular CDS entity that time using SQL, even though you have the DCL also and you have authorization check is checked also that time also that particular DCL will not executed by using with privileges access. 
    • By creating a full access rule for the entity in a customer CDS role. 
    • Access control will not apply when a CDS entity is used as a data source in another CDS entity. 
    • When CDS entities are accessed using ABAP SQL, ABAP programs cannot distinguish whether data is not read because it does not exist or because they are not allowed by CDS access control. 
    • If one CDS entity is used in another CDS entity, suppose CDS entity2 is used in CDS entity1. But CDS2 have some restriction that will when we access CDS entity1 that time those restrictions will not applied because the DCL works on the only on which CDS is created not an Sub CDS views 

    How to give Authorization: 

    First create a definition, and put cursor on any definition, right click, click on new access control. 

    vallabha_malekar_2-1721697880099.png 
    vallabha_malekar_3-1721697880102.png

    Left side: DCL program 

    Right side: CDS entity 

    vallabha_malekar_4-1721697880104.png

    Here I gave CDS entity as @ACCESSCONTROL AUTHORIZATIONCHECK: #NOT_ALLOWED. 

    So, it is fetching all data. 

    vallabha_malekar_5-1721697880106.png

    In this scenario, I gave @ACCESSCONTROL AUTHORIZATIONCHECK: #CHECK. 

     

    vallabha_malekar_6-1721697880107.png

    It evaluate the DCL program. 

    vallabha_malekar_7-1721697880109.png

    In this scenario, I gave @ACCESSCONTROL AUTHORIZATIONCHECK: #NOT_REQUIRED. 

     

    vallabha_malekar_8-1721697880111.png

    Output :- 

     

    vallabha_malekar_9-1721697880112.png

    How to access this CDS view in report 

    Right click on package, click on new, click on other repository objects, enter program, select ABAP program. 

    vallabha_malekar_10-1721697880113.png

    In CDS view instead of using not required here i am using  @ACCESSCONTROL AUTHORIZATIONCHECK: #CHECK. 

     

    vallabha_malekar_11-1721697880115.png

    Click on F9 in re port program. 

    Here It fetches based on Access control condition. 

     

    vallabha_malekar_12-1721697880116.png

    Now, I don’t want to use DCL means, or I don’t want apply access control that time we can use WITH PRIVILEGED ACCESS. 

     

    vallabha_malekar_13-1721697880117.png

    Output : - Here we will get entire data i.e dcl which we have created for particular cds view will not be evaluated. 

     

    vallabha_malekar_14-1721697880119.png

    1.What is the access rule in CDS access control? 

    2.Different types of access rule in CDS access control? 

    3.How to create authorization object in SU21. 

    4.Creation of role in PFCG t-code. 

    5.Assign a role to user? 

    6.Use classical authorization object in CDS access control? 

    1.What is the access rule in CDS access control? 

    From grant to semicolon( ; ).it is access rule. 

    Access rules :- 

    • Access rules can define access conditions,but also provide full access.  

     

    vallabha_malekar_15-1721697880121.png
    • The access rules defined by different CDS roles for a CDS entity are joined by a logical “or”. 
    • It is advisable to use only one access rule in a CDS role. 

     

    vallabha_malekar_16-1721697880122.png

    2.Different types of access rule in CDS access control? 

    1.Conditional_rule: Which control access using access conditions 

    2.Grant_rule: Grant unrestricted access 

    3.Inherited_rule: applied from existing CDS role (It can be only once in CDS role). 

    Conditional_rule: 

    • With the addition WHERE restricts access to a CDS entity using access conditions. 
    vallabha_malekar_17-1721697880123.pngvallabha_malekar_18-1721697880126.pngvallabha_malekar_19-1721697880128.pngvallabha_malekar_20-1721697880133.png
    • COMBINATION MODE AND|OR (Optional) used for multiple access rules for same CDS entity. 

     

    vallabha_malekar_21-1721697880137.png 
    vallabha_malekar_22-1721697880138.pngvallabha_malekar_23-1721697880139.png
    • The addition can be used for a maximum of one access rule for a CDS entity. 
    • This addition also disables existing full access rules for a CDS entity. 

    Grant_rule: 

    • Grant select on without the addition where. 
    • Partners and customers can use full access rules to override roles supplied by SAP. 

          

    vallabha_malekar_24-1721697880140.png
    • If SAP provides some CDS with some DCL, if we create another DCL for that same CDS entity using grant role, then another CDS access controls will not impact. 

    Inherited_Rule: 

    • A CDS role can only contain one inherited access rule. 
    • The existing CDS role parent role can only contain a single access rule for exactly one CDS entity, which itself can be an inherited access rule. 

     

    vallabha_malekar_25-1721697880142.png

     

    vallabha_malekar_26-1721697880144.png

    Normally if we are using where condition in DCL, access control, it will be applicable for all users. But If I want to provide authorization for particular user, at this time we go for SU21 and here we are creating authorization object, class and fields.  

    3.Creation of authorization object and assigning DCL access control. 

    Open eclipse. 

     

    vallabha_malekar_27-1721697880147.png

    Give Alt+ F8. 

    It will show like this. In the search bar enter your T-code and click on OK. 

     

    vallabha_malekar_28-1721697880149.png

    It will open. First we need to create authorization class. So click on authorization class. 

     

    vallabha_malekar_29-1721697880155.png

     

    vallabha_malekar_30-1721697880158.png

    Click on save. 

    Now Create authorization object. Click on authorization object. 

    vallabha_malekar_31-1721697880159.png

    Click on save. 

    vallabha_malekar_32-1721697880161.png

    It will open like this. Here we need to mention authorization field. 

     

    vallabha_malekar_33-1721697880165.png

    So enter SU20 for creating authorization fields. 

    Or Click on authorization field. 

     

    vallabha_malekar_34-1721697880168.png

    Click on save. 

     

    vallabha_malekar_35-1721697880171.png

    Come back and enter the authorization field name and ACTVT field name. 

     

    vallabha_malekar_36-1721697880175.png

    Click on defined permitted values (pen symbol). Click on display. Click on save. 

     

    vallabha_malekar_37-1721697880177.png

    Click on save. 

    Again, click on save and come back. 

    Close SAP logon. 

    Here ASPECT PFCG_AUTH --> it is for providing authorization object. 

    ZMSV_CDS_ --> Authorization object name 

    ZMSV_WAERK --> Authorization field name 

    ACTVT = ‘03’ ---> Authorization field name and 03 means, while giving field we are selected ‘DISPLAY’. So here we gave ‘03’. 

     

    vallabha_malekar_38-1721697880179.png

    Here we need to create a role. Because if we want to give access to a particular user, this role will be useful. 

    So click ALT+F8. 

    Enter t-code ‘PFCG’. Select PFCG, click on OK. 

     

    vallabha_malekar_39-1721697880182.png

    It will open like this. 

    Enter role name and click on single role. 

     

    vallabha_malekar_40-1721697880185.png

    Give short description, click on authorization tab. Click on Besides profile name(it is like hand symbol). If we click on that symbol, automatically profile name and profile text will be created. 

     

    vallabha_malekar_41-1721697880188.png

    Click on Change authorization data. Click on tick mark. 

    Select ‘do not select templates’. 

     

    vallabha_malekar_42-1721697880191.png

    It will open like this. 

    Click on manually. 

     

    vallabha_malekar_43-1721697880193.png

    We need to provide our authorization object name. Click on tick mark. 

     

    vallabha_malekar_44-1721697880195.png

    Click on change( ZMSV_WAER) option. 

     

    vallabha_malekar_45-1721697880197.png

    Here we are giving only ‘CAD’ data in WAERK field only. 

     

    vallabha_malekar_46-1721697880199.png

    Click on save. 

    Click on ACTVT change option. 

    Tick on display and click on save method. 

     

    vallabha_malekar_47-1721697880202.png

    Click on save. 

    Click on generate option. 

     

    vallabha_malekar_48-1721697880205.png 
    vallabha_malekar_49-1721697880206.png

    Go back, In authorization tab, it is showing green that mean it is activated. 

     

    vallabha_malekar_50-1721697880209.png

    Click on the USER tab. Give USERID name and click on USER COMPARISON. 

     

    vallabha_malekar_51-1721697880211.png

    Here click on Full Comparison. 

     

    vallabha_malekar_52-1721697880213.png

    It will come like this. 

     

    vallabha_malekar_53-1721697880215.png

    Click on cancel. 

    See now 2 tabs are in active. 

     

    vallabha_malekar_54-1721697880217.png

    Come back to CDS view and click F8. 

     

    vallabha_malekar_55-1721697880220.png

    Here we are accessing only WAERK (CAD) data. 

     

    vallabha_malekar_56-1721697880224.png

    We can access the WAERK = ‘USD’ data also by using OR condition. 

    1.If 2 role conditions are true then only I want to apply authorization. how? 

    COMBINATION MODE AND: 

    Here I created a one CDS entity and one role. Inside role I put 2 access controls. If we put combination mode and, if these access control satisfies then only it will execute. 

    But if we are using COMBINATION MODE AND. It will give blank. Because both conditions should satisfy. Because i filtered with CAD and USD. Both conditions never get satisfy together. So, it is showing blank as shown in the output below. 

     

    vallabha_malekar_57-1721697880227.pngvallabha_malekar_58-1721697880228.png

    Output:- 

     

    vallabha_malekar_59-1721697880230.png

    2.we have 2 roles, i want to ignore first role. how? 

    REFIDEFINITION: 

    I created one access control; I want to override my access control. In this scenario we can use REDEFINTION keyword. If I use REDEFINITION, all my previous DCL controls are ignored and whatever we are mentioning in current control that only works. 

     

    vallabha_malekar_60-1721697880231.png

    It is an obsolete concept. Here I created one role, I want to inherit this role in another role.  

    3.CDS DCL – Access Rules (INHERITED_RULE) 

    • A CDS role can only contain one inherited access rule. 
    • The existing CDS role parent_role can only contain a single access rule for exactly one CDS entity, which itself can be an inherited access rule. 

          

    vallabha_malekar_61-1721697880234.png

     

    vallabha_malekar_62-1721697880237.png

    4.In 2 roles,if one of the role conditions is true means I need to apply authorization so how to apply it? 

     

    vallabha_malekar_63-1721697880240.png

    Output: Here, it is the combination of USD and CAD. 

     

    vallabha_malekar_64-1721697880244.png

    Another way also We can access the WAERK = ‘USD’ data. 

    Now also same output. 

     

    vallabha_malekar_65-1721697880247.png

    Output:- 

     

    vallabha_malekar_66-1721697880249.png

    In this scenario Iam using COMBINATION MODE OR. It will give same only. 

1 Comment