Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
83 views9 pages

SAP ABAP CDS Access Control Guide

Authorization Object Check in Access View

Uploaded by

saikumar satya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
83 views9 pages

SAP ABAP CDS Access Control Guide

Authorization Object Check in Access View

Uploaded by

saikumar satya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Authorization Object Check in Access View :

Authorization Objects or Access Controls are used to limit users and provide
users only required and needed Information based on there work profile/role.

SAP Access control in ABAP CDS restricts the data returned from a CDS entity
view in ABAP CDS.

SAP Access Control provides an additional method for checking authorizations in


the SAP authorization concept.

Scenario : We want to show specific Airline data to user, we will be restricting


User with help of Access Control to see only data about specific Airline and not
all Airlines.

Step by Step Guide to Create and Use SAP


ABAP CDS Access Control

Step 1 Create Access Control


Provide name to Access Control and click on Next

There are various templates available to create Access Control. In this


demo we are going to use most common used template "Define Role with
PFCG". This template needs one PFCG Role to be created and that role will
be assigned to user.

Select template and click on Finish.


Once click on Finish button, we get the template created.

We have already created Role and Authorization Object in system with


name ZSPFLI_AUT with Activity 03 (Display)

Step 2 Create Role and Maintain Authorization


Object

Role Created
Authorization Object Created

Step 3 Update AccessControl annotation to #CHECK

To allow CDS View to access Authorization Object or Access Control we


need to add below line in our CDS View

@AccessControl.authorizationCheck: #CHECK

Set value of authorizationCheck annotation to #CHECK. If we do not make


change to this annotation to #CHECK Access Control will not be trigger

We want to apply Access Control on CDS View Z_C_MDE_SFLIGHT which


returns Flight details.

Step 4 Make changes to generated Access Control


Template

Now after making changes to generated template we got below Access


Control completed, where we are reading data from CDS
View Z_C_MDE_SFLIGHT
Step 5 Execute CDS View
We are only getting Singapore Airlines records which are based on our
Access Control

If we change @AccessControl.authorizationCheck: #NOT _ALLOWED

Even if Access Control is applied on CDS View, Authorization check will not
be triggered.
Again preview data, we are getting all records for all Airlines.
Advantage of using Access control:

1. There is no need to modify any CDS View if we have different cases


for access.
2. We can easily use existing Role and Authorization Objects and no
need to create new one.

3. Data level restrictions can be applied along with Role based check
easily.

0
I have a CDS view and would like to apply authorization checks.

CDS View ZCDS_VIEW


@AbapCatalog.sqlViewName: 'ZCDS_VIEW'
@VDM.viewType: #BASIC
@AccessControl.authorizationCheck: #CHECK
define view ZCDS_VIEW
as select distinct from vbak
inner join vbap on vbap.vbeln = vbak.vbeln // At least 1 item
[...]
{
key vbak.vbeln,
vbak.ktext,
[...]
}
where
[...].
My concern is that the way to control authorizations requires checks in
different tables and not just an authorization check on a field in the CDS view.
Indeed, I must:

1. Check the authorizations on the profit center of a specific table ZT1


2. Make a join of the entries of the ZT1 table with a ZT2 table which gives
me the authorized divisions
3. Filter the results of my CDS view with the authorized divisions.
To do that I did like this:

Create CDS ZCDS_AUTH_PLANT


@AbapCatalog.sqlViewName: 'ZCDS_AUTH_PLANT'
@VDM.viewType: #BASIC
@AccessControl.authorizationCheck: #CHECK
define view ZCDS_AUTH_PLANT
as select distinct from zt1
inner join zt2 on zt2.bu = zt1.bu
{
zt1.prctr as profit_center,
zt2.bukrs as company_code,
zT2.werks as plant_code
};
Create DCL ZDCL_AUTH_PLANT
@MappingRole: true
define role ZDCL_AUTH_PLANT {
grant
select
on
ZCDS_AUTH_PLANT
where
( profit_center ) = aspect pfcg_auth( XXX, PRCTR );
}
Update CDS ZCDS_VIEW
Addition of the join condition on ZCDSC4_AUTH_PLANT to have authorized
divisions.
@AbapCatalog.sqlViewName: 'ZCDS_VIEW'
@VDM.viewType: #BASIC
@AccessControl.authorizationCheck: #CHECK
define view ZCDS_VIEW
as select distinct from vbak
inner join ZCDSC4_AUTH_PLANT on ZCDSC4_AUTH_PLANT.plant_code =
vbap.werks // At least 1 item matching division
[...]
{
key vbak.vbeln,
vbak.ktext,
[...]
}
where
[...].

You might also like