Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
cancel
Showing results for 
Search instead for 
Did you mean: 
former_member205880
Active Participant
115,420
Hi!

In this post I would like to consider a very important authorization aspect of ABAP CDS views. For each CDS view we have to define an access control using DCL.

For the demonstration cases I'm using S/4HANA 1610 on NW 7.51.

There are 5 parts in this post:

Part I. Standard demo access control examples

Part II. Create a simple example based on PFCG authorizations

Part III. Access control for analytical CDS views with CUBE data category

Part IV. Access control for analytical query CDS views

Part V. UNION or INTERSECTION of authorizations

Let's start.

________________________________________________________________________________

Part I. Standard demo access control examples

First of all I recommend to begin with standard demo CDS views in SABAPDEMOS package based on Flight Model.

1. Full access demo example

DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_FULLACC'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_fullaccess
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};

DCL:
@MappingRole: true
define role demo_cds_role_fullaccess {
grant select on demo_cds_auth_fullaccess; }

2. Literal conditions demo example

DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITERAL'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_literal
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};

DCL:
@MappingRole: true
define role demo_cds_role_literal {
grant select on demo_cds_auth_literal
where carrid = 'LH'; }

3. PFCG authorizations demo example

DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_pfcg
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};

DCL:
@MappingRole: true
define role demo_cds_role_pfcg {
grant select on demo_cds_auth_pfcg
where (carrid) =
aspect pfcg_auth (s_carrid, carrid, actvt='03'); }

Authorization object s_carrid could be found in t-code SU21 under BC_C object class.

4. Combination of literal and PFCG authorizations demo example

DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITPFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_lit_pfcg
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};

DCL:
@MappingRole: true
define role demo_cds_role_lit_pfcg {
grant select on demo_cds_auth_lit_pfcg
where (carrid) =
aspect pfcg_auth (s_carrid, carrid, actvt='03') and
currcode = 'EUR'; }

5. Inherited authorization demo example

DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_INH'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_inherited
as select from
demo_cds_auth_lit_pfcg
{
key carrid,
carrname,
currcode,
url
};

DCL:
@MappingRole: true
define role demo_cds_role_inherited {
grant select on demo_cds_auth_inherited
inherit demo_cds_role_lit_pfcg or currcode = 'USD'; }

In this example data records with USD and EUR currency code will be showed.

6. Current user authorization demo example

DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_USR'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_user
as select from
abdocmode
{
key uname,
key langu,
flag
};

DCL:
@MappingRole: true
define role demo_cds_role_user {
grant select on demo_cds_auth_user
where
uname ?= aspect user; }

In this example data records will be filtered based on user name accessing CDS view.

Conclusion of Part 1: we considered standard demo examples with different options, let's try to create our own CDS view with access control.

________________________________________________________________________________

Part II. Create a simple example based on PFCG authorizations

1. Create a our own CDS view by coping existing one:
@AbapCatalog.sqlViewName: 'ZDEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Demo access pfcg'
define view Zdemo_Access_Pfcg as select from scarr
{
key carrid,
carrname,
currcode,
url
};

Now if we open data preview in HANA Studio we will see all records. Access control doesn't exist yet.



2. Create our z-authorization objects in SU21 t-code:



For each object define authorization field(s) and Activity field, include in permitted activities 03 Display. In our case we include CARRID field in ZS_CARRID and CONNID in ZS_CONNID.





3. Create access control for ZS_CARRID authorization object.
@MappingRole: true
define role zdemo_access_pfcg {
grant select on Zdemo_Access_Pfcg
where (carrid) =
aspect pfcg_auth (zs_carrid, carrid, actvt='03'); }

If we open data preview in HANA studio we will not see any data.

4. Create a new role in PFCG and include authorization objects here. Define what data based on selected fields users should see. Don't forget to generate profile. Assign role to our user.

In first case we will use only ZS_CARRID. We will use another object later in this post.





5. Go back to HANA studio to test authorization. Open data preview for our CDS.



Now we see only records with defined for Airline Company (CARRID) field.

Note: If we open a view in ABAP Dictionary (SE11) the result is all data records.

Note: if we change annotation in DDL, activate CDS view for changes to be applied, we will see all records in data preview once again. This means that a check is off.
@AccessControl.authorizationCheck: #NOT_ALLOWED 

Conclusion of Part 2: We see how access control is working in simple case of selection from a table, let's move to analytic CDS views.

_____________________________________________________________________________

Part III. Access control for analytical CDS views with CUBE data category

1. Create a our own CDS view by coping existing one. This is CDS view with CUBE data category.
@AbapCatalog.sqlViewName: 'Z05_IFLIGHTAIRP'                     // Name of the CDS database view in the ABAP Repository
@AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls the authorization check. In S4H410 not required
@EndUserText.label: 'Flight by airport' // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service
@VDM.viewType: #COMPOSITE // This is a COMPOSITE interface view in the VDM, because it is based on multiple BASIC views
@Analytics.dataCategory: #CUBE // Makes it avaialble for analytics as dimension view via the analytics manager. Is simular to #FACT but #CUBE has more redundant data
@Analytics.dataExtraction.enabled: false // No data extraction allowed as you don't want redundancies in data extraction

define view Z05_I_FlightByAirport as select from Z00_I_Flight // A CDS is implemented using a query select from CDS view Z00_I_Flight
{ // No associations needed as these are handled within the BASIC views
// In the BASIC view we used alias to make the column names are userfriendly
// Also the associations from the othe views are added automatically
@ObjectModel.foreignKey.association: '_Airline' // Defines a foreignkey association for the field Z00_I_Flight.Airline to view _Airline.Airline
key Z00_I_Flight.Airline, // Use the column Airline as a key field

@ObjectModel.foreignKey.association: '_FlightConnection' // Defines a foreignkey association for the field Z00_I_Flight.FlightConnection to view _FlightConnection.FlightConnection
key Z00_I_Flight.FlightConnection, // Use the column FlightConnection as a key field
key Z00_I_Flight.FlightDate, // Use the column FlightDate as a key field

@EndUserText.label: 'Airport From' // Add an enduser label to make sure that we can differentiate between AirportFrom and AirportTo
@ObjectModel.foreignKey.association: '_AirportFrom' // Defines a foreignkey association for the field _FlightConnection.AirportFrom to view _AirportFrom.AirportFrom
key Z00_I_Flight._FlightConnection.AirportFrom, // Use the column _FlightConnection.AirportFrom as a key field

@EndUserText.label: 'Airport To' // Add an enduser label to make sure that we can differentiate between AirportFrom and AirportTo
@ObjectModel.foreignKey.association: '_AirportTo' // Defines a foreignkey association for the field _FlightConnection.AirportTo to view _AirportFrom.AirportTo
key Z00_I_Flight._FlightConnection.AirportTo, // Use the column _FlightConnection.AirportTo as a key field

@Semantics.currencyCode: true // This tells the column AirlineUsedCurrency that it is a currency code field
key Z00_I_Flight.Currency, // Use the column Currency as a key field

@ObjectModel.foreignKey.association: '_AircraftType' // Defines a foreignkey association for the field AircraftType to view _AircraftType.AircraftType
key Z00_I_Flight.AircraftType, // Use the column AircraftType as a key field

@Semantics.amount.currencyCode: 'Currency' // The annotated field contains a monetary amount, and the corresponding currency code is contained in the referenced field
@DefaultAggregation: #MIN // The field is aggregated using MIN
Z00_I_Flight.FlightPrice, // Use the column FlightPrice
@DefaultAggregation: #SUM // The field is aggregated using SUM
Z00_I_Flight.MaximumNumberOfSeats, // Use the column MaximumNumberOfSeats
@DefaultAggregation: #SUM // The field is aggregated using SUM
Z00_I_Flight.NumberOfOccupiedSeats, // Use the column NumberOfOccupiedSeats
@Semantics.amount.currencyCode: 'Currency' // The annotated field contains a monetary amount, and the corresponding currency code is contained in the referenced field
@DefaultAggregation: #SUM // The field is aggregated using SUM
Z00_I_Flight.CurrentBookingsTotalAmount, // Use the column CurrentBookingsTotalAmount

/* Associations */
Z00_I_Flight._AircraftType, // The fields from the association _AircraftType
Z00_I_Flight._Airline, // The fields from the association _Airline
Z00_I_Flight._FlightConnection, // The fields from the association _FlightConnection
Z00_I_Flight._FlightConnection._AirportFrom, // This needs to be added because airportFrom is not available for analytics, because we used it only as a foreignkey
Z00_I_Flight._FlightConnection._AirportTo // This needs to be added because airportTo is not available for analytics, because we used it only as a foreignkey
}


Data preview for this CDS view in HANA Studio. Number of rows is 4894.



2. Define access control for CDS view with CUBE data category.
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline ) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '03' );

}

3. In part II of this post we included ZS_CARRID authorization object to our user. Check result in data preview in HANA Studio. Number of rows is 530.



4. Check result in RSRT t-code. Number of rows is 530. The same result.

5. Check result in BO Analysis for Excel. The result is the same, only selected Airlines are availible for our user.



Note. There is no transnational data for AF Airline, that's why it is not shown at the screen above.

________________________________________________________________________________

Part IV. Access control for analytical query CDS views 

  1. Create an analytical query CDS view in CUBE CDS from Part III.


@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ'                       // Name of the CDS database view in the ABAP Repository
@AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls the authorization check. In S4H410 not required
@EndUserText.label: 'Available Flights' // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service
@VDM.viewType: #CONSUMPTION // This is a CONSUMPTION view
@Analytics.query: true // By tagging the CDS view as an analytical query it will be exposed to the analytic manager
@OData.publish: true // Generates a suitable OData service, that will use the analytical query, when the CDS entity is activated

define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport // A analytical query CDS is implemented using a query select from CDS view Z00_I_FlightByAirport
// Take care with OData publishing the max. lenght is 26 characters
{
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column Airline
Z05_I_FlightByAirport.Airline, // Use the column Airline
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightConnection
Z05_I_FlightByAirport.FlightConnection, // Use the column FlightConnection
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightDate
Z05_I_FlightByAirport.FlightDate, // Use the column FlightDate
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates a mandatory filter on the values in the field AirportFrom
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportFrom
@EndUserText.label: 'Departure Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportFrom, // Use the column AirportFrom
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates an optional filter on the values in the field AirportTo
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportTo
@EndUserText.label: 'Arrival Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportTo, // Use the column AirportTo
Z05_I_FlightByAirport.Currency, // Use the column Currency
Z05_I_FlightByAirport.AircraftType, // Use the column AircraftType
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column FlightPrice
Z05_I_FlightByAirport.FlightPrice, // Use the column FlightPrice
Z05_I_FlightByAirport.MaximumNumberOfSeats, // Use the column MaximumNumberOfSeats
Z05_I_FlightByAirport.NumberOfOccupiedSeats, // Use the column NumberOfOccupiedSeats
@DefaultAggregation: #FORMULA // Important to know for formular placement is evaluation time. Inside the final query, the evaluation is done after the flightbyairport
// view aggragation, so it's not on a very detailed level or even row level, but at the aggragate level. This is important for avarages
// as they cannot be evaluated at the detail level
@EndUserText.label: 'Available Seats'
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column NumberOfAvailableSeats
Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats // this is a formular (calculated column)
}

2. Data preview for this CDS view in HANA Studio. Number of rows is 4894. It seem that CDS view analytical query is not use Cube CDS view authorization, but it is not true. You don't need to create additional access control for analytical query CDS view.

3. Check result in RSRT or BO Analysis for Excel. The results demonstrate that authorizations of Cube CDS view are used in analytical query.



Note: It is not required to create any variables in analytical query definition, like we did in BEx query with authorization characteristics.

4. Modify access control for Cube CDS view. Add field authorization object ZS_CONNID instead of ZS_CARRID.
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( FlightConnection) = aspect pfcg_auth ( ZS_CONNID,
CONNID,
actvt = '03' );

}

The analytical query result is more strict (look at ZS_CONNID definition in Part II Step 4). Now number of rows is 212 in my case.



________________________________________________________________________________

Part V. UNION or INTERSECTION of authorizations

  1. Intersection of authorizations with "AND". New authorization ZS_FLDAT was defined for 3 days range only (04.02.2015 - 06.02.2015). DCL modification for intersection:


@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '03' ) AND
(FlightDate ) =
aspect pfcg_auth ( ZS_FLDAT,
FLTDATE,
actvt = '03' );

}



2. Union of authorizations with "OR":
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '03' ) OR
( FlightDate ) =
aspect pfcg_auth ( ZS_FLDAT,
FLTDATE,
actvt = '03' );

}



3. Two fields in one authorization object is like intersection.


@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline, FlightDate) =
aspect pfcg_auth ( ZS_NEW,
CARRID,
FLTDATE,
actvt = '03' );



Notes: Don't forget to define authorizations at Cube CDS view level, not analytical query level. If you define the same authorizations from Part V at analytical query level:

  • In Data Preview of SAP HANA Studio the results seem to be correct

  • In RSRT, BO Analysis for Excel and other tools using OLAP Engine authorizations from Cube CDS view are used (if defined).


Notes: For analytical query for results in HANA Studio data preview showed all data, to correct this create access control for analytical query:
@MappingRole: true
define role Z05_ROLE_2 {
grant select on Z05_C_FlightByAirportQuery
inherit Z05_ROLE; }

Conclusion for Part V: You can define intersection or union of authorizations for Analytical CDS views.

 

Thank you for attention!
25 Comments
former_member205880
Active Participant
Additional Note:

If you exclude from analytical query definition fields by which authorizations are checked all will be filtered correctly. 
Former Member
0 Kudos
Great work Maksim!

I was looking for help & examples around this .
Florian
Active Contributor
0 Kudos

Nice Work.

I like the flowing style of the examples. Not something really new, but would suggest that it is easier to read through your blog than working through the official help:-)

former_member205880
Active Participant
0 Kudos
Thank you, Florian!
retired_member
Product and Topic Expert
Product and Topic Expert
0 Kudos

 

Just for the sake of completeness, here’s the official help (where part one can also be found):

https://help.sap.com/http.svc/rc/abapdocu_751_index_htm/7.51/en-US/index.htm?file=abencds_authorizat...

Praise for extending it to more real life examples ...

 

0 Kudos
Great Job.
cemal
Participant
0 Kudos
Thumbs up, that's what I was looking for. Thank you.
celo_berger
Active Participant
0 Kudos
Great blog! Thank you!
Former Member
0 Kudos
Awesome Blog! This is what I was looking for.
SudarshanS
Participant
0 Kudos
Thank you really helpful for starters.
former_member205880
Active Participant
0 Kudos
Additional Note 2:

If you are going to use ABAP CDS view in other ABAP logic, e.i. in ABAP reports I recommend you to look at great Horst Keller blog:

https://blogs.sap.com/2015/12/07/abap-news-for-release-750-abap-cds-access-control/

Briefly:

  • In ABAP report use select from entity name (name after define view), not from DB view name (name in @AbapCatalog.sqlViewName: 'DB_view') if you want DCL to be checked and data filtration occurred.

  • If you define @AccessControl.authorizationCheck: #CHECK or @AccessControl.authorizationCheck: #NOT_REQUIRED it will work.

  • If you modify annotation in DDL to @AccessControl.authorizationCheck: #NOT_ALLOWED,then DCL will be ignored.


 
manuish02
Explorer
0 Kudos
Hello Maksim,

Appreciate your time in getting the blog. I have two questions around the DCLs:

 


  1. uname ?= aspect user​

    The above syntax of aspect user, does it work on 7.50?

  2. Aspect pfcg_auth does it work on 7.50?

former_member205880
Active Participant
0 Kudos
Hi!

  1. Seems to be not available in 7.5.

  2. Available.


Link to documentation:

https://help.sap.com/viewer/f2e545608079437ab165c105649b89db/7.5.16/en-US/707332186bf41014b5040bee4e...

Also try to create new DCL (if you have system), in template there are useful comments. There are all available features.

BR, Maksim

 

 
ShivaKona
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hello Maksim,

This blog is very useful. I have one questions around the DCLs:

I have created an Analytical fiori application with the back end implementation as SQL view of a CDS.

I have done this by adding the sql name in the X-Query of the URL Parameters in the target mapping of the tile in Launchpad configuration.

Now i have created the DCL for the CDS view and the data when i execute the cds is getting filtered by DCL but the data in the fiori app is not getting filtered.

Seems the SQL View is not applying the DCL while rendering result on Analytical application.

Now how can i apply the DCL on the Analytical application which is using SQL view of a cds ?

or how can i achieve this ?
jehu_wang
Explorer
0 Kudos
Great post, Thank you .
former_member215511
Participant
0 Kudos
Great Post..thank you.

 

i have few more doubts like

How to enhance/extend  standard Access Control by adding new authorization object?

Whether is it possible or not?

 
former_member205880
Active Participant
0 Kudos
Hi,

As I know It is not possible to enhance Access Control, but you could create an additional one.

There should work as AND.

 

BR,

Maksim
former_member683242
Participant
0 Kudos
Great post.......Thank you 🙂
dmitry_sharshatkin
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Maksim,

I’ve created 2 ACs for one CDS.

But authorizations are taken using OR condition.

Is it then a bug ?…

Thanks, Dima

former_member512938
Participant
0 Kudos
Dmitri,

This is actually acting like you experienced it. Maksim said it "should work as AND" but unfortunatly it does not.

If one of AC is passed, then access is granted to the exposed data.

Regards,

Olivier
dmitry_sharshatkin
Product and Topic Expert
Product and Topic Expert
Hi Olivier,

thanks for clarifying. Yes, indeed, they are joined with "OR" by default.

But I've discovered, in 7.54 (S/4 1908), there is an option 'COMBINATION MODE', which brings required functionality:

https://help.sap.com/doc/abapdocu_754_index_htm/7.54/en-US/index.htm?file=abencds_dcl_role_cond_rule...

Regards, Dima
former_member512938
Participant
0 Kudos
Dear Dmitrii,

Thanks for sharing. My system is still in 1809 😞

Regards,

Olivier
Alexia
Explorer
0 Kudos

That’s very useful, Dima! Thanks for sharing!

0 Kudos

Hi Maksim,

 

Thanks a lot for this Blog post, it really helped me to gone through a development.

i have a question here. can we have 2 different authorization objects with in the same access control behalf of one CDS. For an instance,

 

Can i add one more field here like Customer here with Another Authorization object.

 

Thanks & Regards

Sri Ram

 

former_member205880
Active Participant
0 Kudos

Hi!

Sure, why not.

Like in block "Part V. UNION or INTERSECTION of authorizations".

 

BR,

Maksim