Tcode SACM(Access Control Management) to check authorization issues of CDS Views
For every fiori app in SAP, authorization check is requested and it’s reasonable, for example company code check. People from company A should only be allowed to look into data of company A. Company B’s data should be fitered out.
I am working on a POC project, the structure of the fiori app:
FrontEnd: smart template
BackEnd: CDS View
Authorization Check: DCL for the above CDS View created.
DCL looks like:
define role I_GAPSTARTNUM_DOC {
grant select on FISVD_DOCNR_GAP_STARTNUM
where
( bukrs ) = aspect pfcg_auth ( F_BKPF_BUK, BUKRS , ACTVT = ’03’ );
}
Problem Description: Authorization check unsuccessful. Everyone can get every company’s information.
How I reach my solution:
Step 1: ensure the DCL is in the system (for systems other than Dev system.)
Step 2: Go to backend system(where CDS view is located), use Tcode: SACM, full name for this tool is Access Control Management.
Step 3: Use Runtime tool “ACM Runtime Tool”, input parameters like below, execuate it. You will find if the DCL is execuated.
Step 4: If you find issues inside of the Runtime tools mentioned in Step3, or you just have no idea, you can go to Designtime tool “DCL-Documents” mentioned in Step 2. Check the status of your DCL. Run “Generate ABAP-Artifacts” if the status is not green.
Till this step, I have solved my problem. There are other tools that can be used. Try carefully.
Event with SAP_ALL i was not able to perform CDS Queries/Query Browser, so i had to perform DCL Initial Load in SACM to generate the ABAP Artifacts for S4/Hana, after that it worked fine
thanks for you blog!
hello
We are working on S/4 Hana from Authorization side, please could you provide list of new authorization objects for S/4 Hana.
Thanks
Dear author,
I cannot see "ACM Runtime Tool" in my system. It is S/4 HANA 1709. Please share me why?
Thanks,
Dai Nguyen Quang.