0% found this document useful (0 votes)
325 views25 pages

ABAP CDS Views With Authorization Based On Access Control - SAP Blogs

This document discusses authorization and access control for ABAP CDS views. It provides examples of standard demo views with different access control techniques, including full access, literal conditions, PFCG authorizations, combining literal and PFCG, inherited authorization, and authorization based on the current user.

Uploaded by

hjheredias
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
325 views25 pages

ABAP CDS Views With Authorization Based On Access Control - SAP Blogs

This document discusses authorization and access control for ABAP CDS views. It provides examples of standard demo views with different access control techniques, including full access, literal conditions, PFCG authorizations, combining literal and PFCG, inherited authorization, and authorization based on the current user.

Uploaded by

hjheredias
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Community Topics Groups Answers Blogs Events Programs Resour

Ask a Question Write a Blog Post Login

Maksim Alyapyshev
February 27, 2017
| 11 minute read

ABAP CDS views with Authorization


based on Access Control
 25  26  72,515
Follow

Hi!
 Like
In this post I would like to consider a very important authorization aspect of
ABAP CDS views. For each CDS view we have to define an access control using
 RSS Feed DCL.

For the demonstration cases I’m using S/4HANA 1610 on NW 7.51.

There are 5 parts in this post:

Part I. Standard demo access control examples

Part II. Create a simple example based on PFCG authorizations

Part III. Access control for analytical CDS views with CUBE data category

Part IV. Access control for analytical query CDS views

Part V. UNION or INTERSECTION of authorizations

Let’s start.

___________________________________________________________________________
_____

Part I. Standard demo access control examples

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 1/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

First of all I recommend to begin with standard demo CDS views in


SABAPDEMOS package based on Flight Model.

1. Full access demo example

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_FULLACC'

@AccessControl.authorizationCheck: #CHECK

define view demo_cds_auth_fullaccess

as select from

scarr

key carrid,

carrname,

currcode,

url

};

DCL:

@MappingRole: true

define role demo_cds_role_fullaccess {

grant select on demo_cds_auth_fullaccess; }

2. Literal conditions demo example

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_LITERAL'

@AccessControl.authorizationCheck: #CHECK

define view demo_cds_auth_literal

as select from

scarr

key carrid,

carrname,

currcode,

url

};

DCL:

@MappingRole: true

define role demo_cds_role_literal {

grant select on demo_cds_auth_literal

where carrid = 'LH'; }


https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 2/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

3. PFCG authorizations demo example

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_PFCG'

@AccessControl.authorizationCheck: #CHECK

define view demo_cds_auth_pfcg

as select from

scarr

key carrid,

carrname,

currcode,

url

};

DCL:

@MappingRole: true

define role demo_cds_role_pfcg {

grant select on demo_cds_auth_pfcg

where (carrid) =

aspect pfcg_auth (s_carrid, carrid, actvt='03'); }

Authorization object s_carrid could be found in t-code SU21 under BC_C object


class.

4. Combination of literal and PFCG authorizations demo example

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_LITPFCG'

@AccessControl.authorizationCheck: #CHECK

define view demo_cds_auth_lit_pfcg

as select from

scarr

key carrid,

carrname,

currcode,

url

};

DCL:

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 3/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

@MappingRole: true

define role demo_cds_role_lit_pfcg {

grant select on demo_cds_auth_lit_pfcg

where (carrid) =

aspect pfcg_auth (s_carrid, carrid, actvt='03') and

currcode = 'EUR'; }

5. Inherited authorization demo example

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_INH'

@AccessControl.authorizationCheck: #CHECK

define view demo_cds_auth_inherited

as select from

demo_cds_auth_lit_pfcg

key carrid,

carrname,

currcode,

url

};

DCL:

@MappingRole: true

define role demo_cds_role_inherited {

grant select on demo_cds_auth_inherited

inherit demo_cds_role_lit_pfcg or currcode = 'USD';

In this example data records with USD and EUR currency code will be showed.

6. Current user authorization demo example

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_USR'

@AccessControl.authorizationCheck: #CHECK

define view demo_cds_auth_user

as select from

abdocmode

key uname,

key langu,

flag

};
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 4/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

DCL:

@MappingRole: true

define role demo_cds_role_user {

grant select on demo_cds_auth_user

where

uname ?= aspect user; }

In this example data records will be filtered based on user name accessing CDS
view.

Conclusion of Part 1: we considered standard demo examples with different


options, let’s try to create our own CDS view with access control.

___________________________________________________________________________
_____

Part II. Create a simple example based on PFCG authorizations

1. Create a our own CDS view by coping existing one:

@AbapCatalog.sqlViewName: 'ZDEMO_CDS_PFCG'

@AccessControl.authorizationCheck: #CHECK

@EndUserText.label: 'Demo access pfcg'

define view Zdemo_Access_Pfcg as select from scarr

key carrid,

carrname,

currcode,

url

};

Now if we open data preview in HANA Studio we will see all records. Access
control doesn’t exist yet.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 5/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

2. Create our z-authorization objects in SU21 t-code:

For each object define authorization field(s) and Activity field, include in
permitted activities 03 Display. In our case we include CARRID field in
ZS_CARRID and CONNID in ZS_CONNID.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 6/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

3. Create access control for ZS_CARRID authorization object.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 7/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

@MappingRole: true

define role zdemo_access_pfcg {

grant select on Zdemo_Access_Pfcg

where (carrid) =

aspect pfcg_auth (zs_carrid, carrid, actvt='03'); }

If we open data preview in HANA studio we will not see any data.

4. Create a new role in PFCG and include authorization objects here. Define what
data based on selected fields users should see. Don’t forget to generate
profile. Assign role to our user.

In first case we will use only ZS_CARRID. We will use another object later in this
post.

5. Go back to HANA studio to test authorization. Open data preview for our CDS.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 8/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Now we see only records with defined for Airline Company (CARRID) field.

Note: If we open a view in ABAP Dictionary (SE11) the result is all data records.

Note: if we change annotation in DDL, activate CDS view for changes to be


applied, we will see all records in data preview once again. This means that a
check is off.

@AccessControl.authorizationCheck: #NOT_ALLOWED

Conclusion of Part 2: We see how access control is working in simple case of


selection from a table, let’s move to analytic CDS views.

___________________________________________________________________________
__

Part III. Access control for analytical CDS views with CUBE data category

1. Create a our own CDS view by coping existing one. This is CDS view with CUBE
data category.

@AbapCatalog.sqlViewName: 'Z05_IFLIGHTAIRP' //
@AccessControl.authorizationCheck: #CHECK // CDS aut
@EndUserText.label: 'Flight by airport' //
@VDM.viewType: #COMPOSITE //
@Analytics.dataCategory: #CUBE //
@Analytics.dataExtraction.enabled: false //

define view Z05_I_FlightByAirport as select from Z00_I_Flight //


{ //
//
//
@ObjectModel.foreignKey.association: '_Airline' //
key Z00_I_Flight.Airline, //

@ObjectModel.foreignKey.association: '_FlightConnection' //
key Z00_I_Flight.FlightConnection, //
key Z00_I_Flight.FlightDate, //

@EndUserText.label: 'Airport From' //


@ObjectModel.foreignKey.association: '_AirportFrom' //
key Z00_I_Flight._FlightConnection.AirportFrom, //
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 9/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

@EndUserText.label: 'Airport To' //


@ObjectModel.foreignKey.association: '_AirportTo' //
key Z00_I_Flight._FlightConnection.AirportTo, //

@Semantics.currencyCode: true //
key Z00_I_Flight.Currency, //

@ObjectModel.foreignKey.association: '_AircraftType' //
key Z00_I_Flight.AircraftType, //

@Semantics.amount.currencyCode: 'Currency' //
@DefaultAggregation: #MIN //
Z00_I_Flight.FlightPrice, //
@DefaultAggregation: #SUM //
Z00_I_Flight.MaximumNumberOfSeats, //
@DefaultAggregation: #SUM //
Z00_I_Flight.NumberOfOccupiedSeats, //
@Semantics.amount.currencyCode: 'Currency' //
@DefaultAggregation: #SUM //
Z00_I_Flight.CurrentBookingsTotalAmount, //

/* Associations */

Z00_I_Flight._AircraftType, //
Z00_I_Flight._Airline, //
Z00_I_Flight._FlightConnection, //
Z00_I_Flight._FlightConnection._AirportFrom, //
Z00_I_Flight._FlightConnection._AirportTo //
}

Data preview for this CDS view in HANA Studio. Number of rows is 4894.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 10/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

2. Define access control for CDS view with CUBE data category.

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'

@MappingRole: true

define role Z05_ROLE {

grant select on Z05_I_FlightByAirport

where ( Airline ) =

aspect pfcg_auth ( ZS_CARRID,

CARRID,

actvt = '03' );

3. In part II of this post we included ZS_CARRID authorization object to our user.


Check result in data preview in HANA Studio. Number of rows is 530.

4. Check result in RSRT t-code. Number of rows is 530. The same result.

5. Check result in BO Analysis for Excel. The result is the same, only selected
Airlines are availible for our user.

Note. There is no transnational data for AF Airline, that’s why it is not shown at


the screen above.

___________________________________________________________________________
_____

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 11/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Part IV. Access control for analytical query CDS views 

1. Create an analytical query CDS view in CUBE CDS from Part III.

@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ' //
@AccessControl.authorizationCheck: #CHECK // CDS autho
@EndUserText.label: 'Available Flights' //
@VDM.viewType: #CONSUMPTION //
@Analytics.query: true //
@OData.publish: true //

define view Z05_C_FlightByAirportQuery as select from Z05_I_Flight

@AnalyticsDetails.query.axis: #ROWS //
Z05_I_FlightByAirport.Airline, //
@AnalyticsDetails.query.axis: #ROWS //
Z05_I_FlightByAirport.FlightConnection, //
@AnalyticsDetails.query.axis: #ROWS //
Z05_I_FlightByAirport.FlightDate, //
@Consumption.filter: {selectionType: #SINGLE, multipleSelectio
@AnalyticsDetails.query.axis: #ROWS //
@EndUserText.label: 'Departure Airport' //
Z05_I_FlightByAirport.AirportFrom, //
@Consumption.filter: {selectionType: #SINGLE, multipleSelectio
@AnalyticsDetails.query.axis: #ROWS //
@EndUserText.label: 'Arrival Airport' //
Z05_I_FlightByAirport.AirportTo, //
Z05_I_FlightByAirport.Currency, //
Z05_I_FlightByAirport.AircraftType, //
@AnalyticsDetails.query.axis: #COLUMNS //
Z05_I_FlightByAirport.FlightPrice, //
Z05_I_FlightByAirport.MaximumNumberOfSeats, //
Z05_I_FlightByAirport.NumberOfOccupiedSeats, //
@DefaultAggregation: #FORMULA //
//
//
@EndUserText.label: 'Available Seats'

@AnalyticsDetails.query.axis: #COLUMNS //
Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAir
}

2. Data preview for this CDS view in HANA Studio. Number of rows is 4894. It
seem that CDS view analytical query is not use Cube CDS view authorization, but
it is not true. You don’t need to create additional access control for analytical
query CDS view.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 12/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

3. Check result in RSRT or BO Analysis for Excel. The results demonstrate that
authorizations of Cube CDS view are used in analytical query.

Note: It is not required to create any variables in analytical query definition, like
we did in BEx query with authorization characteristics.

4. Modify access control for Cube CDS view. Add field authorization object
ZS_CONNID instead of ZS_CARRID.

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'

@MappingRole: true

define role Z05_ROLE {

grant select on Z05_I_FlightByAirport

where ( FlightConnection) = aspect pfcg_auth ( ZS_CONNID,

CONNID,

actvt = '03'

The analytical query result is more strict (look at ZS_CONNID definition in Part II
Step 4). Now number of rows is 212 in my case.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 13/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

___________________________________________________________________________
_____

Part V. UNION or INTERSECTION of authorizations

1. Intersection of authorizations with “AND”. New authorization ZS_FLDAT was


defined for 3 days range only (04.02.2015 – 06.02.2015). DCL modification
for intersection:

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'

@MappingRole: true

define role Z05_ROLE {

grant select on Z05_I_FlightByAirport

where ( Airline) =

aspect pfcg_auth ( ZS_CARRID,

CARRID,

actvt = '03' ) AND

(FlightDate ) =

aspect pfcg_auth ( ZS_FLDAT,

FLTDATE,

actvt = '03' );

2. Union of authorizations with “OR”:

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'

@MappingRole: true

define role Z05_ROLE {

grant select on Z05_I_FlightByAirport

where ( Airline) =

aspect pfcg_auth ( ZS_CARRID,

CARRID,

actvt = '03' ) OR

( FlightDate ) =

aspect pfcg_auth ( ZS_FLDAT,

FLTDATE,

actvt = '03' );

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 14/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

3. Two fields in one authorization object is like intersection.

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'

@MappingRole: true

define role Z05_ROLE {

grant select on Z05_I_FlightByAirport

where ( Airline, FlightDate) =

aspect pfcg_auth ( ZS_NEW,

CARRID,

FLTDATE,

actvt = '03' );

Notes: Don’t forget to define authorizations at Cube CDS view level, not analytical
query level. If you define the same authorizations from Part V at analytical query
level:

In Data Preview of SAP HANA Studio the results seem to be correct

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 15/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

In RSRT, BO Analysis for Excel and other tools using OLAP Engine
authorizations from Cube CDS view are used (if defined).

Notes: For analytical query for results in HANA Studio data preview showed all
data, to correct this create access control for analytical query:

@MappingRole: true

define role Z05_ROLE_2 {

grant select on Z05_C_FlightByAirportQuery

inherit Z05_ROLE; }

Conclusion for Part V: You can define intersection or union of authorizations for
Analytical CDS views.

Thank you for attention!

Alert Moderator

Assigned Tags

ABAP Development

SAP S/4HANA

abap cds

abap cds views

authorizations

DCL

embedded analytics

View more...

Similar Blog Posts 


How to use CDS Access Control (Authorization Object Check in CDS Views)
By
Abhishek Sharma Jul 28, 2022

How to make access control in ABAP CDS.


By
Tarun Singh Feb 10, 2021

ABAP Core Data Services - Part 1(ABAP CDS Entities)

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 16/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

By
Tushar Sharma Sep 09, 2017

Related Questions 
Authorization not applied to oData Service which is exposed in a consumption cds view
By
jagadeesh kenguva Dec 09, 2020

ABAP CDS Views: How to manage when we have multiple Access Controls(DCL) for a CDS view
By
Raju C D Jul 26, 2018

CDS View - Filter Result Set with some ABAP Code or have selection filter based on some ABAP code
By
Axel Radack May 18, 2022

25 Comments

You must be Logged on to comment or reply to a post.

Maksim Alyapyshev | Blog Post Author


February 28, 2017 at 6:53 am

Additional Note:

If you exclude from analytical query definition fields by which authorizations are checked all will be filtered
correctly. 

Like 0 | Share

Former Member
March 2, 2017 at 11:13 pm

Great work Maksim!

I was looking for help & examples around this .

Like 0 | Share

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 17/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Florian Henninger
March 6, 2017 at 9:13 pm

Nice Work.

I like the flowing style of the examples. Not something really new, but would suggest that it is easier to read
through your blog than working through the official help:-)

Like 0 | Share

Maksim Alyapyshev | Blog Post Author


March 7, 2017 at 12:36 pm

Thank you, Florian!

Like 0 | Share

Horst Keller
March 20, 2017 at 1:15 pm

Just for the sake of completeness, here’s the official help (where part one can also be
found):

https://help.sap.com/http.svc/rc/abapdocu_751_index_htm/7.51/en-US/index.htm?
file=abencds_authorizations.htm

Praise for extending it to more real life examples ...

Like 0 | Share

Praneeth Chintapalli
May 10, 2017 at 9:57 am

Great Job.

Like 0 | Share

Cemal Aslan
May 19, 2017 at 9:24 pm

Thumbs up, that's what I was looking for. Thank you.

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 18/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
Like 0 | Share

Marcelo Berger
May 31, 2017 at 4:31 pm

Great blog! Thank you!

Like 0 | Share

Former Member
June 29, 2017 at 2:02 pm

Awesome Blog! This is what I was looking for.

Like 0 | Share

Sudarshan Survepalli
August 16, 2017 at 4:06 pm

Thank you really helpful for starters.

Like 0 | Share

Maksim Alyapyshev | Blog Post Author


November 10, 2017 at 9:51 am

Additional Note 2:

If you are going to use ABAP CDS view in other ABAP logic, e.i. in ABAP reports I recommend you to look at
great Horst Keller blog:

https://blogs.sap.com/2015/12/07/abap-news-for-release-750-abap-cds-access-control/

Briefly:

In ABAP report use select from entity name (name after define view), not from DB view name (name
in @AbapCatalog.sqlViewName: 'DB_view') if you want DCL to be checked and data filtration occurred.
If you define @AccessControl.authorizationCheck: #CHECK or @AccessControl.authorizationCheck:
#NOT_REQUIRED it will work.
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 19/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

If you modify annotation in DDL to @AccessControl.authorizationCheck: #NOT_ALLOWED,then DCL


will be ignored.

Like 0 | Share

Manish Majumdar
November 5, 2019 at 6:19 pm

Hello Maksim,

Appreciate your time in getting the blog. I have two questions around the DCLs:

1. uname ?= aspect user​

The above syntax of aspect user, does it work on 7.50?


2. Aspect pfcg_auth does it work on 7.50?

Like 0 | Share

Maksim Alyapyshev | Blog Post Author


November 6, 2019 at 7:04 am

Hi!

1. Seems to be not available in 7.5.


2. Available.

Link to documentation:

https://help.sap.com/viewer/f2e545608079437ab165c105649b89db/7.5.16/en-
US/707332186bf41014b5040bee4e204223.html

Also try to create new DCL (if you have system), in template there are useful comments. There are
all available features.

BR, Maksim

Like 0 | Share

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 20/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

K Shiva
December 13, 2019 at 6:13 pm

Hello Maksim,

This blog is very useful. I have one questions around the DCLs:

I have created an Analytical fiori application with the back end implementation as SQL view of a CDS.

I have done this by adding the sql name in the X-Query of the URL Parameters in the target mapping of the
tile in Launchpad configuration.

Now i have created the DCL for the CDS view and the data when i execute the cds is getting filtered by DCL
but the data in the fiori app is not getting filtered.

Seems the SQL View is not applying the DCL while rendering result on Analytical application.

Now how can i apply the DCL on the Analytical application which is using SQL view of a cds ?

or how can i achieve this ?

Like 0 | Share

zaza Wang
January 5, 2020 at 1:13 pm

Great post, Thank you .

Like 0 | Share

viswanath thammineni
May 6, 2020 at 4:47 am

Great Post..thank you.

i have few more doubts like

How to enhance/extend  standard Access Control by adding new authorization object?

Whether is it possible or not?

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 21/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Like 0 | Share

Maksim Alyapyshev | Blog Post Author


May 6, 2020 at 5:56 am

Hi,

As I know It is not possible to enhance Access Control, but you could create an additional one.

There should work as AND.

BR,

Maksim

Like 0 | Share

Dmitrii Sharshatkin
December 15, 2020 at 10:42 am

Hi Maksim,

I’ve created 2 ACs for one CDS.

But authorizations are taken using OR condition.

Is it then a bug ?…

Thanks, Dima

Like 0 | Share

Olivier Souksamran
December 15, 2020 at 11:25 am

Dmitri,

This is actually acting like you experienced it. Maksim said it "should work as
AND" but unfortunatly it does not.

If one of AC is passed, then access is granted to the exposed data.

Regards,

Olivier

Like 0 | Share

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 22/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

Dmitrii Sharshatkin
December 15, 2020 at 1:17 pm

Hi Olivier,

thanks for clarifying. Yes, indeed, they are joined with "OR" by default.

But I've discovered, in 7.54 (S/4 1908), there is an option 'COMBINATION


MODE', which brings required functionality:

https://help.sap.com/doc/abapdocu_754_index_htm/7.54/en-
US/index.htm?file=abencds_dcl_role_cond_rule.htm

Regards, Dima

Like 1 | Share

Olivier Souksamran
December 15, 2020 at 1:33 pm

Dear Dmitrii,

Thanks for sharing. My system is still in 1809

Regards,

Olivier

Like 0 | Share

Alexandra Marinescu
January 26, 2021 at 4:15 pm

That’s very useful, Dima! Thanks for sharing!

Like 0 | Share

Pranav Kapoor
June 14, 2020 at 7:32 am

Great post.......Thank you

Like 0 | Share

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 23/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs

SRIRAM KOMPELL
March 4, 2022 at 6:47 am

Hi Maksim,

Thanks a lot for this Blog post, it really helped me to gone through a development.

i have a question here. can we have 2 different authorization objects with in the same access control behalf
of one CDS. For an instance,

Can i add one more field here like Customer here with Another Authorization object.
 

Thanks & Regards

Sri Ram

Like 0 | Share

Maksim Alyapyshev | Blog Post Author


March 4, 2022 at 6:58 am

Hi!

Sure, why not.

Like in block "Part V. UNION or INTERSECTION of authorizations".

BR,

Maksim

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 24/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
Like 0 | Share

Find us on

Privacy Terms of Use

Legal Disclosure Copyright

Trademark Preferencias sobre cookies

Newsletter Support

https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 25/25

You might also like