Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
Showing results for 
Search instead for 
Did you mean: 
Active Participant

In previous post ABAP CDS views with Authorization based on Access Control I considered a process of creation of authorization in ABAP CDS views.

Now it is time to trace and troubleshot. I'am going to explain this thema based on analytical query CDS Z05_C_FlightByAirportQuery which is based on Cube CDS view Z05_I_FlightByAirport.

Access control was defined for the Cube CDS view in previous post:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline, FlightDate) =
aspect pfcg_auth ( ZS_NEW,
actvt = '03' );

There are some options to trace authorizations:

  • ST01

  • RSRT (execute+debug)

Step-by-step with ST01:

  1. Switch on trace in ST01 for a testing user.

2. Start a report or RSRT by testing user and open analytical query.

3. Go back to ST01 and open Analysis. Enter testing user name and time periods.

4. Analyse results.

You could see that:

  • ZS_NEW authorization object is successfully checked

  • S_TCODE ckecked for RSRT t-code

  • BW authorizations S_RS_COMP, S_RS_COMP1, S_RS_AUTH

For more information you could go to SU21 and read documentation.

5. Let's exclude ZS_NEW from a user profile. The results are different:

Now we have an error with ZS_NEW authorization object and no records in report.

6. Let's crop authorization, exclude 0BI_ALL and some other.

For only those authorizations objects we get correct analytical query result in RSRT.

Trace for this case:

It seems that 0BI_ALL is not needed, but error in trace occurred.


Step-by-step with RSRT with execute+debug:

  1. Go to RSRT, choose query and select execute+debug with option "Show DCL authorizations for CDS".

2. If there aren't any DCL for CDS view you will get a appropriate message about it.

In case of standard S_CARRID authorization object on Airline is used in DCL we get.
@EndUserText.label: 'Role for Z00_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z00_I_FlightByAirport
where (Airline) =
aspect pfcg_auth ( S_CARRID,
ACTVT = '03' );



Trace authorizations in RSRT and ST01 is effective way of troubleshooting and finding required authorizations.


Thank you for attention!