Community
Technology Blog Posts by Members
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Implementing Authorization Checks for Data Modification Using CDS Access Controls

monalisa_biswal
Contributor
‎2026 Feb 09 2:31 PM
0 Likes
471

Introduction

Using CDS Access control we can restrict data selection access. It allows you to put checks on the data using standard authorization object and limiting values for the same

e.g. This is one of the standard access control for Profit Center

monalisa_biswal_0-1770586834193.png

In this blog, we will look at how access control can be used to control UI‑level modifications—for example, managing the visibility of Create, Edit, and Delete options—without the need for additional custom coding.

Backend Implementation

To begin, create a CDS view that lists all business objects requiring this authorization control. Add an entry for each operation—such as create or edit. For demo, I’ve included activity '02' (change).

monalisa_biswal_4-1770581326838.png

Next, define an Access Control object that links your CDS view to the relevant authorization object. This authorization object will be maintained for the associated Fiori application. Set the required activity type based on the configuration in your CDS access control.
In this example, I’ve used the standard CDS view I_PROFITCENTER, but you can replace it with your own entity that needs authorization‑based restrictions.

monalisa_biswal_6-1770581630945.png

 

When a user with the correct authorization views the CDS data,

monalisa_biswal_5-1770581436214.png

User not having authorization for activity will see content as below

monalisa_biswal_7-1770581684801.png

 

Once the CDS view is ready, include it as an association within your main entity that is exposed via your OData service:

...

association[0..1] to ZTEST_BO_AUTH as _BOAuth

on cdsviewname = 'I_PROFITCENTER'

{

...,

_BOAuth

}

Applying Authorization in the Fiori UI

monalisa_biswal_0-1770585512793.png

 

In your Fiori application, bind the visibility or enabled property of Create/Edit/Delete buttons to the isEditable property provided by this child association:

{/ZTEST_BO_AUTH('I_ProfitCenter')/isEditable}

Get this entityset loaded at the beginning.

                        var oModel =  this.getView().getModel();

                     oModel.read("/ZTEST_CBO_AUTH", {

                    urlParameters: {

                        "$filter":"BusinessObjectID eq 'I_PROFITCENTER'",

                        "$orderby":"isEditable desc"

                    },

                    success: function (oData) {

                        if (oData?.results ) {

                              var bEditable = oData.results[0].isEditable; // boolean conversion

                        }

When a user without activity '02' opens the app, the Edit button will no longer appear.

Conclusion

Using CDS Access Controls is one of the clean way to enforce consistent authorization across backend services and Fiori UIs. Instead of scattering checks across controllers and handlers, developers can define access rules once and rely on CDS to enforce them everywhere. This low‑code technique reduces maintenance effort and makes the implementation much easier.