ABAP CDS views with Authorization based on Access

Control (CDS Access Control Annotation)

Part I. Standard demo access control examples

Part II. Create a simple example based on PFCG authorizations

Part III. Access control for analytical CDS views with CUBE data category

Part IV. Access control for analytical query CDS views

Part V. UNION or INTERSECTION of authorizations

________________________________________________________________________________

Part I. Standard demo access control examples

First of all I recommend to begin with standard demo CDS views in SABAPDEMOS package based
on Flight Model.

1. Full access demo example

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_FULLACC'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_fullaccess
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};

DCL:

@MappingRole: true
define role demo_cds_role_fullaccess {
grant select on demo_cds_auth_fullaccess; }

2. Literal conditions demo example

DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITERAL'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_literal
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};

DCL:

@MappingRole: true
define role demo_cds_role_literal {
grant select on demo_cds_auth_literal
where carrid = 'LH'; }

3. PFCG authorizations demo example

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_pfcg
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};

DCL:

@MappingRole: true
define role demo_cds_role_pfcg {
grant select on demo_cds_auth_pfcg
where (carrid) =
aspect pfcg_auth (s_carrid, carrid, actvt='03'); }

Authorization object s_carrid could be found in t-code SU21 under BC_C object class.

4. Combination of literal and PFCG authorizations demo example

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_LITPFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_lit_pfcg
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};

DCL:

@MappingRole: true
define role demo_cds_role_lit_pfcg {
grant select on demo_cds_auth_lit_pfcg
where (carrid) =
aspect pfcg_auth (s_carrid, carrid, actvt='03') and
currcode = 'EUR'; }

5. Inherited authorization demo example

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_INH'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_inherited
as select from
demo_cds_auth_lit_pfcg
{
key carrid,
carrname,
currcode,
url
};

DCL:

@MappingRole: true
define role demo_cds_role_inherited {
grant select on demo_cds_auth_inherited
inherit demo_cds_role_lit_pfcg or currcode = 'USD'; }

In this example data records with USD and EUR currency code will be showed.

6. Current user authorization demo example

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_USR'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_user
as select from
abdocmode
{
key uname,
key langu,
flag
};

DCL:

@MappingRole: true
define role demo_cds_role_user {
grant select on demo_cds_auth_user
where
uname ?= aspect user; }

In this example data records will be filtered based on user name accessing CDS view.

Conclusion of Part 1: we considered standard demo examples with different options, let’s try to
create our own CDS view with access control.

________________________________________________________________________________

Part II. Create a simple example based on PFCG authorizations

1. Create a our own CDS view by coping existing one:

@AbapCatalog.sqlViewName: 'ZDEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Demo access pfcg'
define view Zdemo_Access_Pfcg as select from scarr
{
key carrid,
carrname,
currcode,
url
};

Now if we open data preview in HANA Studio we will see all records. Access control doesn’t exist
yet.

2. Create our z-authorization objects in SU21 t-code:

For each object define authorization field(s) and Activity field, include in permitted activities 03
Display. In our case we include CARRID field in ZS_CARRID and CONNID in ZS_CONNID.
3. Create access control for ZS_CARRID authorization object.

@MappingRole: true
define role zdemo_access_pfcg {
grant select on Zdemo_Access_Pfcg
where (carrid) =
aspect pfcg_auth (zs_carrid, carrid, actvt='03'); }

If we open data preview in HANA studio we will not see any data.

4. Create a new role in PFCG and include authorization objects here. Define what data based on
selected fields users should see. Don’t forget to generate profile. Assign role to our user.

In first case we will use only ZS_CARRID. We will use another object later in this post.
5. Go back to HANA studio to test authorization. Open data preview for our CDS.

Now we see only records with defined for Airline Company (CARRID) field.

Note: If we open a view in ABAP Dictionary (SE11) the result is all data records.
Note: if we change annotation in DDL, activate CDS view for changes to be applied, we will see all
records in data preview once again. This means that a check is off.

@AccessControl.authorizationCheck: #NOT_ALLOWED

Conclusion of Part 2: We see how access control is working in simple case of selection from a
table, let’s move to analytic CDS views.

_____________________________________________________________________________

Part III. Access control for analytical CDS views with CUBE data category

1. Create a our own CDS view by coping existing one. This is CDS view with CUBE data category.

@AbapCatalog.sqlViewName: 'Z05_IFLIGHTAIRP' // Name of the CDS

database view in the ABAP Repository
@AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls
the authorization check. In S4H410 not required
@EndUserText.label: 'Flight by airport' // Translatable short
text. Max 60characters. Text label is exposed to Analytica tools and the OData service
@VDM.viewType: #COMPOSITE // This is a COMPOSITE
interface view in the VDM, because it is based on multiple BASIC views
@Analytics.dataCategory: #CUBE // Makes it avaialble for
analytics as dimension view via the analytics manager. Is simular to #FACT but #CUBE has
more redundant data
@Analytics.dataExtraction.enabled: false // No data extraction
allowed as you don't want redundancies in data extraction

define view Z05_I_FlightByAirport as select from Z00_I_Flight // A CDS is implemented

using a query select from CDS view Z00_I_Flight
{ // No associations needed
as these are handled within the BASIC views
// In the BASIC view we
used alias to make the column names are userfriendly
// Also the associations
from the othe views are added automatically
@ObjectModel.foreignKey.association: '_Airline' // Defines a foreignkey
association for the field Z00_I_Flight.Airline to view _Airline.Airline
key Z00_I_Flight.Airline, // Use the column Airline
as a key field

@ObjectModel.foreignKey.association: '_FlightConnection' // Defines a foreignkey

association for the field Z00_I_Flight.FlightConnection to view
_FlightConnection.FlightConnection
key Z00_I_Flight.FlightConnection, // Use the column
FlightConnection as a key field
key Z00_I_Flight.FlightDate, // Use the column
FlightDate as a key field
 @EndUserText.label: 'Airport From' // Add an enduser label
to make sure that we can differentiate between AirportFrom and AirportTo
@ObjectModel.foreignKey.association: '_AirportFrom' // Defines a foreignkey
association for the field _FlightConnection.AirportFrom to view _AirportFrom.AirportFrom
key Z00_I_Flight._FlightConnection.AirportFrom, // Use the column
_FlightConnection.AirportFrom as a key field

@EndUserText.label: 'Airport To' // Add an enduser label

to make sure that we can differentiate between AirportFrom and AirportTo
@ObjectModel.foreignKey.association: '_AirportTo' // Defines a foreignkey
association for the field _FlightConnection.AirportTo to view _AirportFrom.AirportTo
key Z00_I_Flight._FlightConnection.AirportTo, // Use the column
_FlightConnection.AirportTo as a key field

@Semantics.currencyCode: true // This tells the column

AirlineUsedCurrency that it is a currency code field
key Z00_I_Flight.Currency, // Use the column
Currency as a key field

@ObjectModel.foreignKey.association: '_AircraftType' // Defines a foreignkey

association for the field AircraftType to view _AircraftType.AircraftType
key Z00_I_Flight.AircraftType, // Use the column
AircraftType as a key field

@Semantics.amount.currencyCode: 'Currency' // The annotated field

contains a monetary amount, and the corresponding currency code is contained in the
referenced field
@DefaultAggregation: #MIN // The field is
aggregated using MIN
Z00_I_Flight.FlightPrice, // Use the column
FlightPrice
@DefaultAggregation: #SUM // The field is
aggregated using SUM
Z00_I_Flight.MaximumNumberOfSeats, // Use the column
MaximumNumberOfSeats
@DefaultAggregation: #SUM // The field is
aggregated using SUM
Z00_I_Flight.NumberOfOccupiedSeats, // Use the column
NumberOfOccupiedSeats
@Semantics.amount.currencyCode: 'Currency' // The annotated field
contains a monetary amount, and the corresponding currency code is contained in the
referenced field
@DefaultAggregation: #SUM // The field is
aggregated using SUM
Z00_I_Flight.CurrentBookingsTotalAmount, // Use the column
CurrentBookingsTotalAmount

/* Associations */
Z00_I_Flight._AircraftType, // The fields from the
association _AircraftType
Z00_I_Flight._Airline, // The fields from the
association _Airline
Z00_I_Flight._FlightConnection, // The fields from the
association _FlightConnection
 Z00_I_Flight._FlightConnection._AirportFrom, // This needs to be added
because airportFrom is not available for analytics, because we used it only as a
foreignkey
Z00_I_Flight._FlightConnection._AirportTo // This needs to be added
because airportTo is not available for analytics, because we used it only as a foreignkey
}

Data preview for this CDS view in HANA Studio. Number of rows is 4894.

2. Define access control for CDS view with CUBE data category.

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'

@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline ) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '03' );

3. In part II of this post we included ZS_CARRID authorization object to our user. Check result in
data preview in HANA Studio. Number of rows is 530.
4. Check result in RSRT t-code. Number of rows is 530. The same result.

5. Check result in BO Analysis for Excel. The result is the same, only selected Airlines are available
for our user.

Note. There is no transnational data for AF Airline, that’s why it is not shown at the screen above.

________________________________________________________________________________

Part IV. Access control for analytical query CDS views 

1. Create an analytical query CDS view in CUBE CDS from Part III.

@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ' // Name of the CDS

database view in the ABAP Repository
@AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls
the authorization check. In S4H410 not required
@EndUserText.label: 'Available Flights' // Translatable short
text. Max 60characters. Text label is exposed to Analytica tools and the OData service
@VDM.viewType: #CONSUMPTION // This is a CONSUMPTION
view
@Analytics.query: true // By tagging the CDS
view as an analytical query it will be exposed to the analytic manager
@OData.publish: true // Generates a suitable
OData service, that will use the analytical query, when the CDS entity is activated

define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport // A

analytical query CDS is implemented using a query select from CDS view
Z00_I_FlightByAirport
// Take
care with OData publishing the max. lenght is 26 characters
{
@AnalyticsDetails.query.axis: #ROWS // Defines the default
row/colums apperance for the column Airline
Z05_I_FlightByAirport.Airline, // Use the column Airline
@AnalyticsDetails.query.axis: #ROWS // Defines the default
row/colums apperance for the column FlightConnection
Z05_I_FlightByAirport.FlightConnection, // Use the column
FlightConnection
@AnalyticsDetails.query.axis: #ROWS // Defines the default
row/colums apperance for the column FlightDate
Z05_I_FlightByAirport.FlightDate, // Use the column
FlightDate
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory:
false } // Creates a mandatory filter on the values in the field AirportFrom
@AnalyticsDetails.query.axis: #ROWS // Defines the default
row/colums apperance for the column AirportFrom
@EndUserText.label: 'Departure Airport' // Add an human readable
enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportFrom, // Use the column
AirportFrom
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory:
false } // Creates an optional filter on the values in the field AirportTo
@AnalyticsDetails.query.axis: #ROWS // Defines the default
row/colums apperance for the column AirportTo
@EndUserText.label: 'Arrival Airport' // Add an human readable
enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportTo, // Use the column
AirportTo
Z05_I_FlightByAirport.Currency, // Use the column
Currency
Z05_I_FlightByAirport.AircraftType, // Use the column
AircraftType
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default
row/colums apperance for the column FlightPrice
Z05_I_FlightByAirport.FlightPrice, // Use the column
FlightPrice
Z05_I_FlightByAirport.MaximumNumberOfSeats, // Use the column
MaximumNumberOfSeats
Z05_I_FlightByAirport.NumberOfOccupiedSeats, // Use the column
NumberOfOccupiedSeats
 @DefaultAggregation: #FORMULA // Important to know for
formular placement is evaluation time. Inside the final query, the evaluation is done
after the flightbyairport
// view aggragation, so
it's not on a very detailed level or even row level, but at the aggragate level. This is
important for avarages
// as they cannot be
evaluated at the detail level
@EndUserText.label: 'Available Seats'
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default
row/colums apperance for the column NumberOfAvailableSeats
Z05_I_FlightByAirport.MaximumNumberOfSeats -
Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats // this is a
formular (calculated column)
}

2. Data preview for this CDS view in HANA Studio. Number of rows is 4894. It seem that CDS view
analytical query is not use Cube CDS view authorization, but it is not true. You don’t need to create
additional access control for analytical query CDS view.

3. Check result in RSRT or BO Analysis for Excel. The results demonstrate that authorizations of
Cube CDS view are used in analytical query.

Note: It is not required to create any variables in analytical query definition, like we did in BEx query
with authorization characteristics.

4. Modify access control for Cube CDS view. Add field authorization object ZS_CONNID instead of
ZS_CARRID.

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'

@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( FlightConnection) = aspect pfcg_auth ( ZS_CONNID,
CONNID,
actvt = '03' );

The analytical query result is more strict (look at ZS_CONNID definition in Part II Step 4). Now
number of rows is 212 in my case.
________________________________________________________________________________

Part V. UNION or INTERSECTION of authorizations

1. Intersection of authorizations with “AND”. New authorization ZS_FLDAT was defined for 3
days range only (04.02.2015 – 06.02.2015). DCL modification for intersection:

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'

@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '03' ) AND
(FlightDate ) =
aspect pfcg_auth ( ZS_FLDAT,
FLTDATE,
actvt = '03' );

}
2. Union of authorizations with “OR”:

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'

@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '03' ) OR
( FlightDate ) =
aspect pfcg_auth ( ZS_FLDAT,
FLTDATE,
actvt = '03' );

3. Two fields in one authorization object is like intersection.

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline, FlightDate) =
aspect pfcg_auth ( ZS_NEW,
CARRID,
FLTDATE,
actvt = '03' );

Notes: Don’t forget to define authorizations at Cube CDS view level, not analytical query level. If
you define the same authorizations from Part V at analytical query level:

 In Data Preview of SAP HANA Studio the results seem to be correct

 In RSRT, BO Analysis for Excel and other tools using OLAP Engine authorizations from
Cube CDS view are used (if defined).

Notes: For analytical query for results in HANA Studio data preview showed all data, to correct this
create access control for analytical query:

@MappingRole: true
define role Z05_ROLE_2 {
grant select on Z05_C_FlightByAirportQuery
inherit Z05_ROLE; }
Conclusion for Part V: You can define intersection or union of authorizations for Analytical CDS
views.