CDS Part 5. ABAP CDS Views With Authorization

Authorizations in CDS Views

Access Control or Authorization in another dimension worth mention when it comes to SAP ABAP CDS (Core Data Services). Let’s see what is on offer in CDS (exiting feature) which gives us an opportunity to explore the options available to limit the access.

Before we start it is customary for us to know some jargons (textbook definitions, excuse me)

DCL: Data Control Language(DCL) is used for controlling privileges in Database operations.

Two Kinds of Privileges are provided to any user:

  1. System, and
  2. Object.
  1. System Access or privilege to use any SAP Server is mostly taken care by SAP Security Folks (we don’t need to bother much about this, but if you are adventurous to know what roles and authorizations have been given to you, go to SU01D T-Code to explore yourself).
  2. Next Authorization Objects or Access to certain T-Codes are given on need basis. We can create them in SU21 and use them (This can be another topic of interest altogether).

GRANT: Used for providing any user access privileges or other privileges for the database operations.

REVOKE: Used for taking back permissions from any user.

ROLE: Special permission created by system admin for accessing (display/change/create) any particular T-Code or ABAP Object. These shall be maintained in T-Code PFCG.

For now, we shall concentrate only about ABAP CDS View Authorization.

Getting our hands dirty is the way forward. Following steps will give an experience of how DCL, elder brother of SQL can protect DDL, his younger.

STEP 1: Simple Sample CDS View was created with join between SFLIGHT and SFLCONNPOS.

Note – Authorization Check Annotation has been given “#NOT_REQUIRED” in Access Control.

@AbapCatalog.sqlViewName: 'ZCDS_ACCNTRL_DDL'
@AbapCatalog.compiler.compareFilter: true
@AccessControl.authorizationCheck: #NOT_REQUIRED
@EndUserText.label: 'CDS to Test Access Control'
define view ZCDS_TEST_ACCESS_CTRL as 
select from sflight as a 
inner join sflconnpos as b 
on a.carrid = b.carrid
{
key a.carrid as MyFlightCarrier,
b.agencynum as MyAgencyNumber
}

STEP 2: Follow the below to create a DCL object for CDS View.

By default the following screen appears once you finish creating [good feature by Eclipse for lazy people (like me) so that we don’t code]

What we noticed (from experience) is that we have 3 approaches available for us to utilize. Do not worry, each of it has been covered below.

Approach 1 : Using just the View Name [Smarter people say Full Access]

No Restrictions apply here. Just go and just provide your CDS View Name. Nothing much to tell other than that WARNING !!!

It is best seen from the below description I got from the editor :

This warning tells that the User (ABAP developer) has not been mapped to this DCL.

What we can infer is that the above approach 1 is somewhat not much useful for us. Thus, let’s fast forward to Approach 2.

Approach 2 : Using the Where Clause [Experts say using Literal Conditions]

Before we deep dive, let’s see that data preview of the CDS Views:

The result set has entries for the following Flight Carriers:

Amused how I got it ??? Follow this : Right Top Corner of Data Preview -> Add Filter -> Click on MyFlightCarrier -> Click on ” … ” -> Voila you got it !!!

Now if you are still not exhausted, continue to make a change in DCL.

Do the following:

Code Snippet :

@EndUserText.label: 'role_label'
@MappingRole: true
define role role_name {
    grant select on ZCDS_TEST_ACCESS_CTRL 
    where    MyFlightCarrier  =  'DL' ;
}

Run Data Preview to see the Magic (well not really, you wrote the code and got the output, no big deal Ahh!)

Be Happy anyway. You have done something (well me in this case).

Next, very important. Let’s be into some serious business now. T-Code PFCG.

Approach 3 : Using PFCG authorizations [I say the same as others do]

Before you begin this, I suggest you to have a look on what is PFCG for some important information.

But, more importantly for us is T-Code SU21. Navigate to find Auth Object S_CARRID (as shown below with details).

Now time to muscle our efforts into DCL. Use this :

@EndUserText.label: 'role_label'
@MappingRole: true
define role role_name {
    grant select on ZCDS_TEST_ACCESS_CTRL 
    where ( MyFlightCarrier ) =
    aspect pfcg_auth (s_carrid, carrid, actvt='03');
}

Data Preview of CDS View:

All said and done. Now question remains, what have we achieved here? Nothing. Why? That’s because we have not mapped our user ID exclusively for this authorization object.

So, what we need to do is :

  1. Create own authorization objects
  2. Tell Basis Folks to assign that to a particular ID
  3. Check the difference between ID with and without authorization.