Part1 – how to test odata service generated by CDS view
Part2 – what objects are automatically generated after you activate one CDS view
Part3 – how is view source in Eclipse converted to ABAP view in the backend
Part4 – how does annotation @OData.publish work
Part5 – how to create CDS view which supports navigation in OData service
Part6 – consume table function in CDS view
Part7 – unveil the secret of @ObjectModel.readOnly
Part8 – my summary of different approaches for annotation declaration and generation
Part9 – cube view and query view
Part10 – How does CDS view key user extensibility work in S4/HANA
Part11 – CDS view test double framework
Part12 – CDS view source code count tool
Part13 – this blog
Part14 – CDS view performance analysis using PlanViz in HANA studio

There are already lots of blogs in community talking about CDS authorization concept, here I just blog what is so far not mentioned in those blogs.

For demonstration purpose I create a very simple database table ZORDER with two entries:

And a CDS view on top of it:

@AbapCatalog.sqlViewName: 'zvorder'
@AbapCatalog.compiler.compareFilter: true
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Order for authorization POC'
define view zjerry_order as select from zorder {key order_id, order_text, order_type, post_date
}

In SAP help, it is documented that “If a CDS entity is specified in several access rules of a CDS role, the resulting access conditions are joined using a logical OR”.
And I create a simple authorization object ZJER_TYPE2 in tcode SU21 which contains field PR_TYPE for order type and ACTVT field with following settings:

And then create an Access Control object:

@EndUserText.label: 'Order DCL POC'
@MappingRole: true
define role Zjerry_Order_Dcl { grant select on zjerry_orderwhere ( order_type) = aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = '01' )or ( order_type) = aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = '03' );
}

Create a new PFCG role ZJER_AUTH_TEST3 with ACTVT = 01,02 and PR_TYPE = SRVO:

I use this combination to ensure that the statement before the OR operator will pass ( aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = ’01’ ) ) while the statement after OR will fail ( aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = ’03’ ).
And then assign this PFCG role to my user:

This means from semantic perspective that “it is expected that user WANGJER can only have access to order with process type SRVO“.

Now all preparation is ready. Execute this simple SQL:

SELECT * INTO TABLE @DATA(lt_data) FROM zjerry_order.

Only 1 record with type SRVO is returned, working as expected. But why? How does it work?

Use tcode stauthtrace to perform a trace:

The trace result shows that the evaluation for first statement before OR is done successfully, and the statement after Or fails. According to SAP help, the whole result is still true( true OR false = true ).

What magic thing has happened when the OPEN SQL is executed? Why the record with order type OPPT is automatically filtered out?
Perform a SQL trace with tcode ST05, display execution plan via menu below:

You can find there is a fragment of WHERE statement automatically added. The value for ORDER_TYPE comes from the value of authorization object field PR_TYPE which is mapped to CDS view field ORDER_TYPE in my DCL object.

This behavior is consistent with what is documented in SAP help:

When Open SQL is used to access a CDS entity and an access rule is defined in a role for this entity, the access conditions are evaluated implicitly and their selection restricted so that in SELECT reads, the access condition is added to the selection condition of the statement passed from the database interface to the database using a logical “and”.

Two DCL objects defined on the same CDS view

Again the SAP help said “If a CDS entity is specified in multiple CDS roles, the resulting access conditions are joined using a logical OR”.

Let’s create a new PFCG role ZJER_AUTH_TEST4 which only grants displayauthorization on order type OPPT.

@EndUserText.label: 'display authorization on OPPT'
@MappingRole: true
define role Zjerry_Order_Dcl2 { grant select on zjerry_orderwhere ( order_type) = aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = '03');
}

Execute the SQL once again under trace mode:
Still one record with type SRVO is returned.

The corresponding automatically appended where statement: since the PFCF role ZJER_AUTH_TEST4 is NOT assigned to my user WANGJER, so when the open SQL is performed on the view, NO corresponding where statement for order type OPPT defined in that PFCG role is appended.

要获取更多Jerry的原创文章，请关注公众号"汪子熙":

SAP CDS view权限控制实现原理介绍相关推荐

SAP CDS view 单元测试框架 Test Double 介绍
系列目录 Part1 – how to test odata service generated by CDS view Part2 – what objects are automatically ...
SAP CDS view性能调优的一些准则和例子
SAP CDS view优化的guideline: 一个很简单的SELECT CDS view的open sql: 它的execution plan都会非常复杂: 我们就只展开上面execution ...
SAP CDS view(Core Data Service)自学的一些材料和方法
Self study和incident handling的不同之处 (1) incident handling有时间压力,遇到自己思路卡住求助同事无可厚非.而Self study没有太大的时间压力,要 ...
SAP CDS view自学教程之九：cube view和query view的实现原理
In previous eight steps all we focus on is transactional stuff. This time let's touch some analytics ...
SAP CDS view自学教程之十：SAP CDS view扩展性(Extensibility)实现原理
目录 Part1 – how to test odata service generated by CDS view Part2 – what objects are automatically ge ...
如何基于 SAP CDS view 生成 object page
通过之前的文章如何在 SAP BTP 上通过 CDS view 快速创建 Fiori Elements 应用,我们已经创建了一个 CDS view,并基于该 CDS view,创建了一个 Fiori ...
SAP CO模块权限控制
SAP CO中成本中心费用处理的基本流程为: ①平时/期末FI/HR/MM/SD过帐-> ②费用的分配分摊(Tcode:KSV5/KSU5)-> ③成本中心实际费用分割(Tcode:KSS ...
使用 SAP CDS view SQL Function 将视图某些字段进行合并
SAP 用于学习目的设计了很多 demo 开发包,里面包含了很多用于演示目的的 CDS view,类似经典的 Flight 模型,比如视图 /DMO/I_Travel_U. 这个视图和客户相关的信息只 ...
SAP CDS view源代码行数统计工具
Part1 – how to test odata service generated by CDS view Part2 – what objects are automatically gener ...

SAP CDS view权限控制实现原理介绍

Two DCL objects defined on the same CDS view

SAP CDS view权限控制实现原理介绍相关推荐

最新文章

热门文章