ABAP CDS Views With Authorization Based On Access Control - SAP Blogs
ABAP CDS Views With Authorization Based On Access Control - SAP Blogs
Maksim Alyapyshev
February 27, 2017
| 11 minute read
Hi!
Like
In this post I would like to consider a very important authorization aspect of
ABAP CDS views. For each CDS view we have to define an access control using
RSS Feed DCL.
Part III. Access control for analytical CDS views with CUBE data category
Let’s start.
___________________________________________________________________________
_____
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 1/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_FULLACC'
@AccessControl.authorizationCheck: #CHECK
as select from
scarr
key carrid,
carrname,
currcode,
url
};
DCL:
@MappingRole: true
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITERAL'
@AccessControl.authorizationCheck: #CHECK
as select from
scarr
key carrid,
carrname,
currcode,
url
};
DCL:
@MappingRole: true
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
as select from
scarr
key carrid,
carrname,
currcode,
url
};
DCL:
@MappingRole: true
where (carrid) =
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITPFCG'
@AccessControl.authorizationCheck: #CHECK
as select from
scarr
key carrid,
carrname,
currcode,
url
};
DCL:
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 3/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
@MappingRole: true
where (carrid) =
currcode = 'EUR'; }
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_INH'
@AccessControl.authorizationCheck: #CHECK
as select from
demo_cds_auth_lit_pfcg
key carrid,
carrname,
currcode,
url
};
DCL:
@MappingRole: true
In this example data records with USD and EUR currency code will be showed.
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_USR'
@AccessControl.authorizationCheck: #CHECK
as select from
abdocmode
key uname,
key langu,
flag
};
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 4/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
DCL:
@MappingRole: true
where
In this example data records will be filtered based on user name accessing CDS
view.
___________________________________________________________________________
_____
@AbapCatalog.sqlViewName: 'ZDEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
key carrid,
carrname,
currcode,
url
};
Now if we open data preview in HANA Studio we will see all records. Access
control doesn’t exist yet.
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 5/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
For each object define authorization field(s) and Activity field, include in
permitted activities 03 Display. In our case we include CARRID field in
ZS_CARRID and CONNID in ZS_CONNID.
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 6/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 7/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
@MappingRole: true
where (carrid) =
If we open data preview in HANA studio we will not see any data.
4. Create a new role in PFCG and include authorization objects here. Define what
data based on selected fields users should see. Don’t forget to generate
profile. Assign role to our user.
In first case we will use only ZS_CARRID. We will use another object later in this
post.
5. Go back to HANA studio to test authorization. Open data preview for our CDS.
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 8/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
Now we see only records with defined for Airline Company (CARRID) field.
Note: If we open a view in ABAP Dictionary (SE11) the result is all data records.
@AccessControl.authorizationCheck: #NOT_ALLOWED
___________________________________________________________________________
__
Part III. Access control for analytical CDS views with CUBE data category
1. Create a our own CDS view by coping existing one. This is CDS view with CUBE
data category.
@AbapCatalog.sqlViewName: 'Z05_IFLIGHTAIRP' //
@AccessControl.authorizationCheck: #CHECK // CDS aut
@EndUserText.label: 'Flight by airport' //
@VDM.viewType: #COMPOSITE //
@Analytics.dataCategory: #CUBE //
@Analytics.dataExtraction.enabled: false //
@ObjectModel.foreignKey.association: '_FlightConnection' //
key Z00_I_Flight.FlightConnection, //
key Z00_I_Flight.FlightDate, //
@Semantics.currencyCode: true //
key Z00_I_Flight.Currency, //
@ObjectModel.foreignKey.association: '_AircraftType' //
key Z00_I_Flight.AircraftType, //
@Semantics.amount.currencyCode: 'Currency' //
@DefaultAggregation: #MIN //
Z00_I_Flight.FlightPrice, //
@DefaultAggregation: #SUM //
Z00_I_Flight.MaximumNumberOfSeats, //
@DefaultAggregation: #SUM //
Z00_I_Flight.NumberOfOccupiedSeats, //
@Semantics.amount.currencyCode: 'Currency' //
@DefaultAggregation: #SUM //
Z00_I_Flight.CurrentBookingsTotalAmount, //
/* Associations */
Z00_I_Flight._AircraftType, //
Z00_I_Flight._Airline, //
Z00_I_Flight._FlightConnection, //
Z00_I_Flight._FlightConnection._AirportFrom, //
Z00_I_Flight._FlightConnection._AirportTo //
}
Data preview for this CDS view in HANA Studio. Number of rows is 4894.
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 10/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
@MappingRole: true
where ( Airline ) =
CARRID,
actvt = '03' );
5. Check result in BO Analysis for Excel. The result is the same, only selected
Airlines are availible for our user.
___________________________________________________________________________
_____
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 11/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
1. Create an analytical query CDS view in CUBE CDS from Part III.
@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ' //
@AccessControl.authorizationCheck: #CHECK // CDS autho
@EndUserText.label: 'Available Flights' //
@VDM.viewType: #CONSUMPTION //
@Analytics.query: true //
@OData.publish: true //
@AnalyticsDetails.query.axis: #ROWS //
Z05_I_FlightByAirport.Airline, //
@AnalyticsDetails.query.axis: #ROWS //
Z05_I_FlightByAirport.FlightConnection, //
@AnalyticsDetails.query.axis: #ROWS //
Z05_I_FlightByAirport.FlightDate, //
@Consumption.filter: {selectionType: #SINGLE, multipleSelectio
@AnalyticsDetails.query.axis: #ROWS //
@EndUserText.label: 'Departure Airport' //
Z05_I_FlightByAirport.AirportFrom, //
@Consumption.filter: {selectionType: #SINGLE, multipleSelectio
@AnalyticsDetails.query.axis: #ROWS //
@EndUserText.label: 'Arrival Airport' //
Z05_I_FlightByAirport.AirportTo, //
Z05_I_FlightByAirport.Currency, //
Z05_I_FlightByAirport.AircraftType, //
@AnalyticsDetails.query.axis: #COLUMNS //
Z05_I_FlightByAirport.FlightPrice, //
Z05_I_FlightByAirport.MaximumNumberOfSeats, //
Z05_I_FlightByAirport.NumberOfOccupiedSeats, //
@DefaultAggregation: #FORMULA //
//
//
@EndUserText.label: 'Available Seats'
@AnalyticsDetails.query.axis: #COLUMNS //
Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAir
}
2. Data preview for this CDS view in HANA Studio. Number of rows is 4894. It
seem that CDS view analytical query is not use Cube CDS view authorization, but
it is not true. You don’t need to create additional access control for analytical
query CDS view.
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 12/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
3. Check result in RSRT or BO Analysis for Excel. The results demonstrate that
authorizations of Cube CDS view are used in analytical query.
Note: It is not required to create any variables in analytical query definition, like
we did in BEx query with authorization characteristics.
4. Modify access control for Cube CDS view. Add field authorization object
ZS_CONNID instead of ZS_CARRID.
@MappingRole: true
CONNID,
actvt = '03'
The analytical query result is more strict (look at ZS_CONNID definition in Part II
Step 4). Now number of rows is 212 in my case.
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 13/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
___________________________________________________________________________
_____
@MappingRole: true
where ( Airline) =
CARRID,
(FlightDate ) =
FLTDATE,
actvt = '03' );
@MappingRole: true
where ( Airline) =
CARRID,
actvt = '03' ) OR
( FlightDate ) =
FLTDATE,
actvt = '03' );
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 14/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
@MappingRole: true
CARRID,
FLTDATE,
actvt = '03' );
Notes: Don’t forget to define authorizations at Cube CDS view level, not analytical
query level. If you define the same authorizations from Part V at analytical query
level:
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 15/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
In RSRT, BO Analysis for Excel and other tools using OLAP Engine
authorizations from Cube CDS view are used (if defined).
Notes: For analytical query for results in HANA Studio data preview showed all
data, to correct this create access control for analytical query:
@MappingRole: true
inherit Z05_ROLE; }
Conclusion for Part V: You can define intersection or union of authorizations for
Analytical CDS views.
Alert Moderator
Assigned Tags
ABAP Development
SAP S/4HANA
abap cds
authorizations
DCL
embedded analytics
View more...
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 16/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
By
Tushar Sharma Sep 09, 2017
Related Questions
Authorization not applied to oData Service which is exposed in a consumption cds view
By
jagadeesh kenguva Dec 09, 2020
ABAP CDS Views: How to manage when we have multiple Access Controls(DCL) for a CDS view
By
Raju C D Jul 26, 2018
CDS View - Filter Result Set with some ABAP Code or have selection filter based on some ABAP code
By
Axel Radack May 18, 2022
25 Comments
Additional Note:
If you exclude from analytical query definition fields by which authorizations are checked all will be filtered
correctly.
Like 0 | Share
Former Member
March 2, 2017 at 11:13 pm
Like 0 | Share
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 17/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
Florian Henninger
March 6, 2017 at 9:13 pm
Nice Work.
I like the flowing style of the examples. Not something really new, but would suggest that it is easier to read
through your blog than working through the official help:-)
Like 0 | Share
Like 0 | Share
Horst Keller
March 20, 2017 at 1:15 pm
Just for the sake of completeness, here’s the official help (where part one can also be
found):
https://help.sap.com/http.svc/rc/abapdocu_751_index_htm/7.51/en-US/index.htm?
file=abencds_authorizations.htm
Like 0 | Share
Praneeth Chintapalli
May 10, 2017 at 9:57 am
Great Job.
Like 0 | Share
Cemal Aslan
May 19, 2017 at 9:24 pm
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 18/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
Like 0 | Share
Marcelo Berger
May 31, 2017 at 4:31 pm
Like 0 | Share
Former Member
June 29, 2017 at 2:02 pm
Like 0 | Share
Sudarshan Survepalli
August 16, 2017 at 4:06 pm
Like 0 | Share
Additional Note 2:
If you are going to use ABAP CDS view in other ABAP logic, e.i. in ABAP reports I recommend you to look at
great Horst Keller blog:
https://blogs.sap.com/2015/12/07/abap-news-for-release-750-abap-cds-access-control/
Briefly:
In ABAP report use select from entity name (name after define view), not from DB view name (name
in @AbapCatalog.sqlViewName: 'DB_view') if you want DCL to be checked and data filtration occurred.
If you define @AccessControl.authorizationCheck: #CHECK or @AccessControl.authorizationCheck:
#NOT_REQUIRED it will work.
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 19/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
Like 0 | Share
Manish Majumdar
November 5, 2019 at 6:19 pm
Hello Maksim,
Appreciate your time in getting the blog. I have two questions around the DCLs:
Like 0 | Share
Hi!
Link to documentation:
https://help.sap.com/viewer/f2e545608079437ab165c105649b89db/7.5.16/en-
US/707332186bf41014b5040bee4e204223.html
Also try to create new DCL (if you have system), in template there are useful comments. There are
all available features.
BR, Maksim
Like 0 | Share
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 20/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
K Shiva
December 13, 2019 at 6:13 pm
Hello Maksim,
This blog is very useful. I have one questions around the DCLs:
I have created an Analytical fiori application with the back end implementation as SQL view of a CDS.
I have done this by adding the sql name in the X-Query of the URL Parameters in the target mapping of the
tile in Launchpad configuration.
Now i have created the DCL for the CDS view and the data when i execute the cds is getting filtered by DCL
but the data in the fiori app is not getting filtered.
Seems the SQL View is not applying the DCL while rendering result on Analytical application.
Now how can i apply the DCL on the Analytical application which is using SQL view of a cds ?
Like 0 | Share
zaza Wang
January 5, 2020 at 1:13 pm
Like 0 | Share
viswanath thammineni
May 6, 2020 at 4:47 am
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 21/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
Like 0 | Share
Hi,
As I know It is not possible to enhance Access Control, but you could create an additional one.
BR,
Maksim
Like 0 | Share
Dmitrii Sharshatkin
December 15, 2020 at 10:42 am
Hi Maksim,
Is it then a bug ?…
Thanks, Dima
Like 0 | Share
Olivier Souksamran
December 15, 2020 at 11:25 am
Dmitri,
This is actually acting like you experienced it. Maksim said it "should work as
AND" but unfortunatly it does not.
Regards,
Olivier
Like 0 | Share
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 22/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
Dmitrii Sharshatkin
December 15, 2020 at 1:17 pm
Hi Olivier,
thanks for clarifying. Yes, indeed, they are joined with "OR" by default.
https://help.sap.com/doc/abapdocu_754_index_htm/7.54/en-
US/index.htm?file=abencds_dcl_role_cond_rule.htm
Regards, Dima
Like 1 | Share
Olivier Souksamran
December 15, 2020 at 1:33 pm
Dear Dmitrii,
Regards,
Olivier
Like 0 | Share
Alexandra Marinescu
January 26, 2021 at 4:15 pm
Like 0 | Share
Pranav Kapoor
June 14, 2020 at 7:32 am
Like 0 | Share
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 23/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
SRIRAM KOMPELL
March 4, 2022 at 6:47 am
Hi Maksim,
Thanks a lot for this Blog post, it really helped me to gone through a development.
i have a question here. can we have 2 different authorization objects with in the same access control behalf
of one CDS. For an instance,
Can i add one more field here like Customer here with Another Authorization object.
Sri Ram
Like 0 | Share
Hi!
BR,
Maksim
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 24/25
5/10/22, 20:21 ABAP CDS views with Authorization based on Access Control | SAP Blogs
Like 0 | Share
Find us on
Newsletter Support
https://blogs.sap.com/2017/02/27/abap-cds-views-with-authorization-based-on-access-control/ 25/25