Access Control For CDS Views

Estimated read time 18 min read

What is DCL ? 

DCL stands for Data Control Language. DCL is used to define and manage access controls and authorizations for CDS views. It specifies which users or roles have access to the data exposed by a CDS view and what type of operations they can perform on this data. 

What are the Scenarios we are going to perform for cds views by applying DCL:- 

1.If 2 role conditions are true then only I want to apply authorization. How? 

2.we have 2 roles, i want to ignore first role. How? 

3.What is Inherited_Rule? 

4.In 2 roles,if one of the role condition is true means I need to apply authorization so how to apply it ? 

CDS DCL (Data control Language): 

It will further restrict the data from CDS Entity. A CDS role is not assigned to individual users and is evaluated for every user instead. Define role is used to restrict the user for further entity. 

Here in CDS DCL we have access rules. 

Access rules: 

Access rules can define access conditions but also provide full access. 

     Access conditions are based primarily on 

 Literal values  On classic authorizations of the current users  On data from other CDS entities defined by a selection with the current user (self-defined aspects). 

  Access Control Annotation : –      

 The access conditions are evaluated implicitly in each ABAP SQL read.  Based on @ AccessControl.authorizationCheck 

           1.CHECK (Default value)    

           2.NOT_REQUIRED 

           3.NOT_ALLOWED 

 If access control is enabled, only that data is read that meets the access conditions.          

   @ACCESSCONTROL AUTHORIZATIONCHECK: CHECK: 

Normally by default it is check only.  Whenever we give this annotation as check, when we call this CDS view, whatever we defined the DCL that will be evaluated each time. If access control is enabled,only that data is read that meets the access conditions. If we put @ACCESSCONTROL AUTHORIZATIONCHECK: CHECK and If we don’t created the DCL for particular CDS view that time we will get the warning like ‘DCL is not exist’ so, to avoid this we can give ‘NOT_REQUIRED’. If you have the DCL and You don’t want access CDS entity, then you have to give NOT_ALLOWED. If access control is enabled, only that data is read, that meets the access conditions with Privileged access. 

How we can disable access control: 

We are created DCL, but I don’t want to put whenever I access data from CDS entity, I don’t want to put DCL at system, For this we have to put annotation as NOT_ALLOWED. Then it will give access to every user. Whenever we access particular CDS entity that time using SQL, even though you have the DCL also and you have authorization check is checked also that time also that particular DCL will not executed by using with privileges access. By creating a full access rule for the entity in a customer CDS role. Access control will not apply when a CDS entity is used as a data source in another CDS entity. When CDS entities are accessed using ABAP SQL, ABAP programs cannot distinguish whether data is not read because it does not exist or because they are not allowed by CDS access control. If one CDS entity is used in another CDS entity, suppose CDS entity2 is used in CDS entity1. But CDS2 have some restriction that will when we access CDS entity1 that time those restrictions will not applied because the DCL works on the only on which CDS is created not an Sub CDS views 

How to give Authorization: 

First create a definition, and put cursor on any definition, right click, click on new access control. 

 

Left side: DCL program 

Right side: CDS entity 

Here I gave CDS entity as @ACCESSCONTROL AUTHORIZATIONCHECK: #NOT_ALLOWED. 

So, it is fetching all data. 

In this scenario, I gave @ACCESSCONTROL AUTHORIZATIONCHECK: #CHECK. 

 

It evaluate the DCL program. 

In this scenario, I gave @ACCESSCONTROL AUTHORIZATIONCHECK: #NOT_REQUIRED. 

 

Output :- 

 

How to access this CDS view in report 

Right click on package, click on new, click on other repository objects, enter program, select ABAP program. 

In CDS view instead of using not required here i am using  @ACCESSCONTROL AUTHORIZATIONCHECK: #CHECK. 

 

Click on F9 in re port program. 

Here It fetches based on Access control condition. 

 

Now, I don’t want to use DCL means, or I don’t want apply access control that time we can use WITH PRIVILEGED ACCESS. 

 

Output : – Here we will get entire data i.e dcl which we have created for particular cds view will not be evaluated. 

 

1.What is the access rule in CDS access control? 

2.Different types of access rule in CDS access control? 

3.How to create authorization object in SU21. 

4.Creation of role in PFCG t-code. 

5.Assign a role to user? 

6.Use classical authorization object in CDS access control? 

1.What is the access rule in CDS access control? 

From grant to semicolon( ; ).it is access rule. 

Access rules :- 

Access rules can define access conditions,but also provide full access.  

 

The access rules defined by different CDS roles for a CDS entity are joined by a logical “or”. It is advisable to use only one access rule in a CDS role. 

 

2.Different types of access rule in CDS access control? 

1.Conditional_rule: Which control access using access conditions 

2.Grant_rule: Grant unrestricted access 

3.Inherited_rule: applied from existing CDS role (It can be only once in CDS role). 

Conditional_rule: 

With the addition WHERE restricts access to a CDS entity using access conditions. COMBINATION MODE AND|OR (Optional) used for multiple access rules for same CDS entity. 

 

 
The addition can be used for a maximum of one access rule for a CDS entity. This addition also disables existing full access rules for a CDS entity. 

Grant_rule: 

Grant select on without the addition where. Partners and customers can use full access rules to override roles supplied by SAP. 

      

If SAP provides some CDS with some DCL, if we create another DCL for that same CDS entity using grant role, then another CDS access controls will not impact. 

Inherited_Rule: 

A CDS role can only contain one inherited access rule. The existing CDS role parent role can only contain a single access rule for exactly one CDS entity, which itself can be an inherited access rule. 

 

 

Normally if we are using where condition in DCL, access control, it will be applicable for all users. But If I want to provide authorization for particular user, at this time we go for SU21 and here we are creating authorization object, class and fields.  

3.Creation of authorization object and assigning DCL access control. 

Open eclipse. 

 

Give Alt+ F8. 

It will show like this. In the search bar enter your T-code and click on OK. 

 

It will open. First we need to create authorization class. So click on authorization class. 

 

 

Click on save. 

Now Create authorization object. Click on authorization object. 

Click on save. 

It will open like this. Here we need to mention authorization field. 

 

So enter SU20 for creating authorization fields. 

Or Click on authorization field. 

 

Click on save. 

 

Come back and enter the authorization field name and ACTVT field name. 

 

Click on defined permitted values (pen symbol). Click on display. Click on save. 

 

Click on save. 

Again, click on save and come back. 

Close SAP logon. 

Here ASPECT PFCG_AUTH –> it is for providing authorization object. 

ZMSV_CDS_ –> Authorization object name 

ZMSV_WAERK –> Authorization field name 

ACTVT = ‘03’ —> Authorization field name and 03 means, while giving field we are selected ‘DISPLAY’. So here we gave ‘03’. 

 

Here we need to create a role. Because if we want to give access to a particular user, this role will be useful. 

So click ALT+F8. 

Enter t-code ‘PFCG’. Select PFCG, click on OK. 

 

It will open like this. 

Enter role name and click on single role. 

 

Give short description, click on authorization tab. Click on Besides profile name(it is like hand symbol). If we click on that symbol, automatically profile name and profile text will be created. 

 

Click on Change authorization data. Click on tick mark. 

Select ‘do not select templates’. 

 

It will open like this. 

Click on manually. 

 

We need to provide our authorization object name. Click on tick mark. 

 

Click on change( ZMSV_WAER) option. 

 

Here we are giving only ‘CAD’ data in WAERK field only. 

 

Click on save. 

Click on ACTVT change option. 

Tick on display and click on save method. 

 

Click on save. 

Click on generate option. 

 

 

Go back, In authorization tab, it is showing green that mean it is activated. 

 

Click on the USER tab. Give USERID name and click on USER COMPARISON. 

 

Here click on Full Comparison. 

 

It will come like this. 

 

Click on cancel. 

See now 2 tabs are in active. 

 

Come back to CDS view and click F8. 

 

Here we are accessing only WAERK (CAD) data. 

 

We can access the WAERK = ‘USD’ data also by using OR condition. 

1.If 2 role conditions are true then only I want to apply authorization. how? 

COMBINATION MODE AND: 

Here I created a one CDS entity and one role. Inside role I put 2 access controls. If we put combination mode and, if these access control satisfies then only it will execute. 

But if we are using COMBINATION MODE AND. It will give blank. Because both conditions should satisfy. Because i filtered with CAD and USD. Both conditions never get satisfy together. So, it is showing blank as shown in the output below. 

 

Output:- 

 

2.we have 2 roles, i want to ignore first role. how? 

REFIDEFINITION: 

I created one access control; I want to override my access control. In this scenario we can use REDEFINTION keyword. If I use REDEFINITION, all my previous DCL controls are ignored and whatever we are mentioning in current control that only works. 

 

It is an obsolete concept. Here I created one role, I want to inherit this role in another role.  

3.CDS DCL – Access Rules (INHERITED_RULE) 

A CDS role can only contain one inherited access rule. The existing CDS role parent_role can only contain a single access rule for exactly one CDS entity, which itself can be an inherited access rule. 

      

 

4.In 2 roles,if one of the role conditions is true means I need to apply authorization so how to apply it? 

 

Output: Here, it is the combination of USD and CAD. 

 

Another way also We can access the WAERK = ‘USD’ data. 

Now also same output. 

 

Output:- 

 

In this scenario Iam using COMBINATION MODE OR. It will give same only. 

 

​ What is DCL ? DCL stands for Data Control Language. DCL is used to define and manage access controls and authorizations for CDS views. It specifies which users or roles have access to the data exposed by a CDS view and what type of operations they can perform on this data. What are the Scenarios we are going to perform for cds views by applying DCL:- 1.If 2 role conditions are true then only I want to apply authorization. How? 2.we have 2 roles, i want to ignore first role. How? 3.What is Inherited_Rule? 4.In 2 roles,if one of the role condition is true means I need to apply authorization so how to apply it ? CDS DCL (Data control Language): It will further restrict the data from CDS Entity. A CDS role is not assigned to individual users and is evaluated for every user instead. Define role is used to restrict the user for further entity. Here in CDS DCL we have access rules. Access rules: Access rules can define access conditions but also provide full access.      Access conditions are based primarily on  Literal values  On classic authorizations of the current users  On data from other CDS entities defined by a selection with the current user (self-defined aspects).   Access Control Annotation : –       The access conditions are evaluated implicitly in each ABAP SQL read.  Based on @ AccessControl.authorizationCheck            1.CHECK (Default value)               2.NOT_REQUIRED            3.NOT_ALLOWED  If access control is enabled, only that data is read that meets the access conditions.             @ACCESSCONTROL AUTHORIZATIONCHECK: CHECK: Normally by default it is check only.  Whenever we give this annotation as check, when we call this CDS view, whatever we defined the DCL that will be evaluated each time. If access control is enabled,only that data is read that meets the access conditions. If we put @ACCESSCONTROL AUTHORIZATIONCHECK: CHECK and If we don’t created the DCL for particular CDS view that time we will get the warning like ‘DCL is not exist’ so, to avoid this we can give ‘NOT_REQUIRED’. If you have the DCL and You don’t want access CDS entity, then you have to give NOT_ALLOWED. If access control is enabled, only that data is read, that meets the access conditions with Privileged access. How we can disable access control: We are created DCL, but I don’t want to put whenever I access data from CDS entity, I don’t want to put DCL at system, For this we have to put annotation as NOT_ALLOWED. Then it will give access to every user. Whenever we access particular CDS entity that time using SQL, even though you have the DCL also and you have authorization check is checked also that time also that particular DCL will not executed by using with privileges access. By creating a full access rule for the entity in a customer CDS role. Access control will not apply when a CDS entity is used as a data source in another CDS entity. When CDS entities are accessed using ABAP SQL, ABAP programs cannot distinguish whether data is not read because it does not exist or because they are not allowed by CDS access control. If one CDS entity is used in another CDS entity, suppose CDS entity2 is used in CDS entity1. But CDS2 have some restriction that will when we access CDS entity1 that time those restrictions will not applied because the DCL works on the only on which CDS is created not an Sub CDS views How to give Authorization: First create a definition, and put cursor on any definition, right click, click on new access control.  Left side: DCL program Right side: CDS entity Here I gave CDS entity as @ACCESSCONTROL AUTHORIZATIONCHECK: #NOT_ALLOWED. So, it is fetching all data. In this scenario, I gave @ACCESSCONTROL AUTHORIZATIONCHECK: #CHECK.  It evaluate the DCL program. In this scenario, I gave @ACCESSCONTROL AUTHORIZATIONCHECK: #NOT_REQUIRED.  Output :-  How to access this CDS view in report Right click on package, click on new, click on other repository objects, enter program, select ABAP program. In CDS view instead of using not required here i am using  @ACCESSCONTROL AUTHORIZATIONCHECK: #CHECK.  Click on F9 in re port program. Here It fetches based on Access control condition.  Now, I don’t want to use DCL means, or I don’t want apply access control that time we can use WITH PRIVILEGED ACCESS.  Output : – Here we will get entire data i.e dcl which we have created for particular cds view will not be evaluated.  1.What is the access rule in CDS access control? 2.Different types of access rule in CDS access control? 3.How to create authorization object in SU21. 4.Creation of role in PFCG t-code. 5.Assign a role to user? 6.Use classical authorization object in CDS access control? 1.What is the access rule in CDS access control? From grant to semicolon( ; ).it is access rule. Access rules :- Access rules can define access conditions,but also provide full access.   The access rules defined by different CDS roles for a CDS entity are joined by a logical “or”. It is advisable to use only one access rule in a CDS role.  2.Different types of access rule in CDS access control? 1.Conditional_rule: Which control access using access conditions 2.Grant_rule: Grant unrestricted access 3.Inherited_rule: applied from existing CDS role (It can be only once in CDS role). Conditional_rule: With the addition WHERE restricts access to a CDS entity using access conditions. COMBINATION MODE AND|OR (Optional) used for multiple access rules for same CDS entity.   The addition can be used for a maximum of one access rule for a CDS entity. This addition also disables existing full access rules for a CDS entity. Grant_rule: Grant select on without the addition where. Partners and customers can use full access rules to override roles supplied by SAP.       If SAP provides some CDS with some DCL, if we create another DCL for that same CDS entity using grant role, then another CDS access controls will not impact. Inherited_Rule: A CDS role can only contain one inherited access rule. The existing CDS role parent role can only contain a single access rule for exactly one CDS entity, which itself can be an inherited access rule.   Normally if we are using where condition in DCL, access control, it will be applicable for all users. But If I want to provide authorization for particular user, at this time we go for SU21 and here we are creating authorization object, class and fields.  3.Creation of authorization object and assigning DCL access control. Open eclipse.  Give Alt+ F8. It will show like this. In the search bar enter your T-code and click on OK.  It will open. First we need to create authorization class. So click on authorization class.   Click on save. Now Create authorization object. Click on authorization object. Click on save. It will open like this. Here we need to mention authorization field.  So enter SU20 for creating authorization fields. Or Click on authorization field.  Click on save.  Come back and enter the authorization field name and ACTVT field name.  Click on defined permitted values (pen symbol). Click on display. Click on save.  Click on save. Again, click on save and come back. Close SAP logon. Here ASPECT PFCG_AUTH –> it is for providing authorization object. ZMSV_CDS_ –> Authorization object name ZMSV_WAERK –> Authorization field name ACTVT = ‘03’ —> Authorization field name and 03 means, while giving field we are selected ‘DISPLAY’. So here we gave ‘03’.  Here we need to create a role. Because if we want to give access to a particular user, this role will be useful. So click ALT+F8. Enter t-code ‘PFCG’. Select PFCG, click on OK.  It will open like this. Enter role name and click on single role.  Give short description, click on authorization tab. Click on Besides profile name(it is like hand symbol). If we click on that symbol, automatically profile name and profile text will be created.  Click on Change authorization data. Click on tick mark. Select ‘do not select templates’.  It will open like this. Click on manually.  We need to provide our authorization object name. Click on tick mark.  Click on change( ZMSV_WAER) option.  Here we are giving only ‘CAD’ data in WAERK field only.  Click on save. Click on ACTVT change option. Tick on display and click on save method.  Click on save. Click on generate option.   Go back, In authorization tab, it is showing green that mean it is activated.  Click on the USER tab. Give USERID name and click on USER COMPARISON.  Here click on Full Comparison.  It will come like this.  Click on cancel. See now 2 tabs are in active.  Come back to CDS view and click F8.  Here we are accessing only WAERK (CAD) data.  We can access the WAERK = ‘USD’ data also by using OR condition. 1.If 2 role conditions are true then only I want to apply authorization. how? COMBINATION MODE AND: Here I created a one CDS entity and one role. Inside role I put 2 access controls. If we put combination mode and, if these access control satisfies then only it will execute. But if we are using COMBINATION MODE AND. It will give blank. Because both conditions should satisfy. Because i filtered with CAD and USD. Both conditions never get satisfy together. So, it is showing blank as shown in the output below.  Output:-  2.we have 2 roles, i want to ignore first role. how? REFIDEFINITION: I created one access control; I want to override my access control. In this scenario we can use REDEFINTION keyword. If I use REDEFINITION, all my previous DCL controls are ignored and whatever we are mentioning in current control that only works.  It is an obsolete concept. Here I created one role, I want to inherit this role in another role.  3.CDS DCL – Access Rules (INHERITED_RULE) A CDS role can only contain one inherited access rule. The existing CDS role parent_role can only contain a single access rule for exactly one CDS entity, which itself can be an inherited access rule.         4.In 2 roles,if one of the role conditions is true means I need to apply authorization so how to apply it?  Output: Here, it is the combination of USD and CAD.  Another way also We can access the WAERK = ‘USD’ data. Now also same output.  Output:-  In this scenario Iam using COMBINATION MODE OR. It will give same only.    Read More Application Development Blog Posts articles 

#SAP

You May Also Like

More From Author

+ There are no comments

Add yours