Hi!
In this post I would like to consider a very important authorization aspect of ABAP CDS views. For each CDS view we have to define an access control using DCL.
For the demonstration cases I'm using S/4HANA 1610 on NW 7.51.
There are 5 parts in this post:
Part I. Standard demo access control examples
Part II. Create a simple example based on PFCG authorizations
Part III. Access control for analytical CDS views with CUBE data category
Part IV. Access control for analytical query CDS views
Part V. UNION or INTERSECTION of authorizations
Let's start.
________________________________________________________________________________
Part I. Standard demo access control examples
First of all I recommend to begin with standard demo CDS views in SABAPDEMOS package based on Flight Model.
1. Full access demo example
DDL:
DCL:
2. Literal conditions demo example
DDL:
DCL:
3. PFCG authorizations demo example
DDL:
DCL:
Authorization object s_carrid could be found in t-code SU21 under BC_C object class.
4. Combination of literal and PFCG authorizations demo example
DDL:
DCL:
5. Inherited authorization demo example
DDL:
DCL:
In this example data records with USD and EUR currency code will be showed.
6. Current user authorization demo example
DDL:
DCL:
In this example data records will be filtered based on user name accessing CDS view.
Conclusion of Part 1: we considered standard demo examples with different options, let's try to create our own CDS view with access control.
________________________________________________________________________________
Part II. Create a simple example based on PFCG authorizations
1. Create a our own CDS view by coping existing one:
Now if we open data preview in HANA Studio we will see all records. Access control doesn't exist yet.
2. Create our z-authorization objects in SU21 t-code:
For each object define authorization field(s) and Activity field, include in permitted activities 03 Display. In our case we include CARRID field in ZS_CARRID and CONNID in ZS_CONNID.
3. Create access control for ZS_CARRID authorization object.
If we open data preview in HANA studio we will not see any data.
4. Create a new role in PFCG and include authorization objects here. Define what data based on selected fields users should see. Don't forget to generate profile. Assign role to our user.
In first case we will use only ZS_CARRID. We will use another object later in this post.
5. Go back to HANA studio to test authorization. Open data preview for our CDS.
Now we see only records with defined for Airline Company (CARRID) field.
Note: If we open a view in ABAP Dictionary (SE11) the result is all data records.
Note: if we change annotation in DDL, activate CDS view for changes to be applied, we will see all records in data preview once again. This means that a check is off.
Conclusion of Part 2: We see how access control is working in simple case of selection from a table, let's move to analytic CDS views.
_____________________________________________________________________________
Part III. Access control for analytical CDS views with CUBE data category
1. Create a our own CDS view by coping existing one. This is CDS view with CUBE data category.
Data preview for this CDS view in HANA Studio. Number of rows is 4894.
2. Define access control for CDS view with CUBE data category.
3. In part II of this post we included ZS_CARRID authorization object to our user. Check result in data preview in HANA Studio. Number of rows is 530.
4. Check result in RSRT t-code. Number of rows is 530. The same result.
5. Check result in BO Analysis for Excel. The result is the same, only selected Airlines are availible for our user.
Note. There is no transnational data for AF Airline, that's why it is not shown at the screen above.
________________________________________________________________________________
Part IV. Access control for analytical query CDS views
2. Data preview for this CDS view in HANA Studio. Number of rows is 4894. It seem that CDS view analytical query is not use Cube CDS view authorization, but it is not true. You don't need to create additional access control for analytical query CDS view.
3. Check result in RSRT or BO Analysis for Excel. The results demonstrate that authorizations of Cube CDS view are used in analytical query.
Note: It is not required to create any variables in analytical query definition, like we did in BEx query with authorization characteristics.
4. Modify access control for Cube CDS view. Add field authorization object ZS_CONNID instead of ZS_CARRID.
The analytical query result is more strict (look at ZS_CONNID definition in Part II Step 4). Now number of rows is 212 in my case.
________________________________________________________________________________
Part V. UNION or INTERSECTION of authorizations
2. Union of authorizations with "OR":
3. Two fields in one authorization object is like intersection.
Notes: Don't forget to define authorizations at Cube CDS view level, not analytical query level. If you define the same authorizations from Part V at analytical query level:
Notes: For analytical query for results in HANA Studio data preview showed all data, to correct this create access control for analytical query:
Conclusion for Part V: You can define intersection or union of authorizations for Analytical CDS views.
Thank you for attention!
In this post I would like to consider a very important authorization aspect of ABAP CDS views. For each CDS view we have to define an access control using DCL.
For the demonstration cases I'm using S/4HANA 1610 on NW 7.51.
There are 5 parts in this post:
Part I. Standard demo access control examples
Part II. Create a simple example based on PFCG authorizations
Part III. Access control for analytical CDS views with CUBE data category
Part IV. Access control for analytical query CDS views
Part V. UNION or INTERSECTION of authorizations
Let's start.
________________________________________________________________________________
Part I. Standard demo access control examples
First of all I recommend to begin with standard demo CDS views in SABAPDEMOS package based on Flight Model.
1. Full access demo example
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_FULLACC'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_fullaccess
as select from
scarr
{
key carrid,
carrname,
currcode,
url
}; DCL:
@MappingRole: true
define role demo_cds_role_fullaccess {
grant select on demo_cds_auth_fullaccess; }2. Literal conditions demo example
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITERAL'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_literal
as select from
scarr
{
key carrid,
carrname,
currcode,
url
}; DCL:
@MappingRole: true
define role demo_cds_role_literal {
grant select on demo_cds_auth_literal
where carrid = 'LH'; }3. PFCG authorizations demo example
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_pfcg
as select from
scarr
{
key carrid,
carrname,
currcode,
url
}; DCL:
@MappingRole: true
define role demo_cds_role_pfcg {
grant select on demo_cds_auth_pfcg
where (carrid) =
aspect pfcg_auth (s_carrid, carrid, actvt='03'); }Authorization object s_carrid could be found in t-code SU21 under BC_C object class.
4. Combination of literal and PFCG authorizations demo example
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITPFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_lit_pfcg
as select from
scarr
{
key carrid,
carrname,
currcode,
url
}; DCL:
@MappingRole: true
define role demo_cds_role_lit_pfcg {
grant select on demo_cds_auth_lit_pfcg
where (carrid) =
aspect pfcg_auth (s_carrid, carrid, actvt='03') and
currcode = 'EUR'; }5. Inherited authorization demo example
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_INH'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_inherited
as select from
demo_cds_auth_lit_pfcg
{
key carrid,
carrname,
currcode,
url
}; DCL:
@MappingRole: true
define role demo_cds_role_inherited {
grant select on demo_cds_auth_inherited
inherit demo_cds_role_lit_pfcg or currcode = 'USD'; }In this example data records with USD and EUR currency code will be showed.
6. Current user authorization demo example
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_USR'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_user
as select from
abdocmode
{
key uname,
key langu,
flag
}; DCL:
@MappingRole: true
define role demo_cds_role_user {
grant select on demo_cds_auth_user
where
uname ?= aspect user; }In this example data records will be filtered based on user name accessing CDS view.
Conclusion of Part 1: we considered standard demo examples with different options, let's try to create our own CDS view with access control.
________________________________________________________________________________
Part II. Create a simple example based on PFCG authorizations
1. Create a our own CDS view by coping existing one:
@AbapCatalog.sqlViewName: 'ZDEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Demo access pfcg'
define view Zdemo_Access_Pfcg as select from scarr
{
key carrid,
carrname,
currcode,
url
}; Now if we open data preview in HANA Studio we will see all records. Access control doesn't exist yet.
2. Create our z-authorization objects in SU21 t-code:
For each object define authorization field(s) and Activity field, include in permitted activities 03 Display. In our case we include CARRID field in ZS_CARRID and CONNID in ZS_CONNID.
3. Create access control for ZS_CARRID authorization object.
@MappingRole: true
define role zdemo_access_pfcg {
grant select on Zdemo_Access_Pfcg
where (carrid) =
aspect pfcg_auth (zs_carrid, carrid, actvt='03'); }If we open data preview in HANA studio we will not see any data.
4. Create a new role in PFCG and include authorization objects here. Define what data based on selected fields users should see. Don't forget to generate profile. Assign role to our user.
In first case we will use only ZS_CARRID. We will use another object later in this post.
5. Go back to HANA studio to test authorization. Open data preview for our CDS.
Now we see only records with defined for Airline Company (CARRID) field.
Note: If we open a view in ABAP Dictionary (SE11) the result is all data records.
Note: if we change annotation in DDL, activate CDS view for changes to be applied, we will see all records in data preview once again. This means that a check is off.
@AccessControl.authorizationCheck: #NOT_ALLOWED Conclusion of Part 2: We see how access control is working in simple case of selection from a table, let's move to analytic CDS views.
_____________________________________________________________________________
Part III. Access control for analytical CDS views with CUBE data category
1. Create a our own CDS view by coping existing one. This is CDS view with CUBE data category.
@AbapCatalog.sqlViewName: 'Z05_IFLIGHTAIRP' // Name of the CDS database view in the ABAP Repository
@AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls the authorization check. In S4H410 not required
@EndUserText.label: 'Flight by airport' // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service
@VDM.viewType: #COMPOSITE // This is a COMPOSITE interface view in the VDM, because it is based on multiple BASIC views
@Analytics.dataCategory: #CUBE // Makes it avaialble for analytics as dimension view via the analytics manager. Is simular to #FACT but #CUBE has more redundant data
@Analytics.dataExtraction.enabled: false // No data extraction allowed as you don't want redundancies in data extraction
define view Z05_I_FlightByAirport as select from Z00_I_Flight // A CDS is implemented using a query select from CDS view Z00_I_Flight
{ // No associations needed as these are handled within the BASIC views
// In the BASIC view we used alias to make the column names are userfriendly
// Also the associations from the othe views are added automatically
@ObjectModel.foreignKey.association: '_Airline' // Defines a foreignkey association for the field Z00_I_Flight.Airline to view _Airline.Airline
key Z00_I_Flight.Airline, // Use the column Airline as a key field
@ObjectModel.foreignKey.association: '_FlightConnection' // Defines a foreignkey association for the field Z00_I_Flight.FlightConnection to view _FlightConnection.FlightConnection
key Z00_I_Flight.FlightConnection, // Use the column FlightConnection as a key field
key Z00_I_Flight.FlightDate, // Use the column FlightDate as a key field
@EndUserText.label: 'Airport From' // Add an enduser label to make sure that we can differentiate between AirportFrom and AirportTo
@ObjectModel.foreignKey.association: '_AirportFrom' // Defines a foreignkey association for the field _FlightConnection.AirportFrom to view _AirportFrom.AirportFrom
key Z00_I_Flight._FlightConnection.AirportFrom, // Use the column _FlightConnection.AirportFrom as a key field
@EndUserText.label: 'Airport To' // Add an enduser label to make sure that we can differentiate between AirportFrom and AirportTo
@ObjectModel.foreignKey.association: '_AirportTo' // Defines a foreignkey association for the field _FlightConnection.AirportTo to view _AirportFrom.AirportTo
key Z00_I_Flight._FlightConnection.AirportTo, // Use the column _FlightConnection.AirportTo as a key field
@Semantics.currencyCode: true // This tells the column AirlineUsedCurrency that it is a currency code field
key Z00_I_Flight.Currency, // Use the column Currency as a key field
@ObjectModel.foreignKey.association: '_AircraftType' // Defines a foreignkey association for the field AircraftType to view _AircraftType.AircraftType
key Z00_I_Flight.AircraftType, // Use the column AircraftType as a key field
@Semantics.amount.currencyCode: 'Currency' // The annotated field contains a monetary amount, and the corresponding currency code is contained in the referenced field
@DefaultAggregation: #MIN // The field is aggregated using MIN
Z00_I_Flight.FlightPrice, // Use the column FlightPrice
@DefaultAggregation: #SUM // The field is aggregated using SUM
Z00_I_Flight.MaximumNumberOfSeats, // Use the column MaximumNumberOfSeats
@DefaultAggregation: #SUM // The field is aggregated using SUM
Z00_I_Flight.NumberOfOccupiedSeats, // Use the column NumberOfOccupiedSeats
@Semantics.amount.currencyCode: 'Currency' // The annotated field contains a monetary amount, and the corresponding currency code is contained in the referenced field
@DefaultAggregation: #SUM // The field is aggregated using SUM
Z00_I_Flight.CurrentBookingsTotalAmount, // Use the column CurrentBookingsTotalAmount
/* Associations */
Z00_I_Flight._AircraftType, // The fields from the association _AircraftType
Z00_I_Flight._Airline, // The fields from the association _Airline
Z00_I_Flight._FlightConnection, // The fields from the association _FlightConnection
Z00_I_Flight._FlightConnection._AirportFrom, // This needs to be added because airportFrom is not available for analytics, because we used it only as a foreignkey
Z00_I_Flight._FlightConnection._AirportTo // This needs to be added because airportTo is not available for analytics, because we used it only as a foreignkey
}
Data preview for this CDS view in HANA Studio. Number of rows is 4894.
2. Define access control for CDS view with CUBE data category.
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline ) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '03' );
}3. In part II of this post we included ZS_CARRID authorization object to our user. Check result in data preview in HANA Studio. Number of rows is 530.
4. Check result in RSRT t-code. Number of rows is 530. The same result.
5. Check result in BO Analysis for Excel. The result is the same, only selected Airlines are availible for our user.
Note. There is no transnational data for AF Airline, that's why it is not shown at the screen above.
________________________________________________________________________________
Part IV. Access control for analytical query CDS views
- Create an analytical query CDS view in CUBE CDS from Part III.
@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ' // Name of the CDS database view in the ABAP Repository
@AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls the authorization check. In S4H410 not required
@EndUserText.label: 'Available Flights' // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service
@VDM.viewType: #CONSUMPTION // This is a CONSUMPTION view
@Analytics.query: true // By tagging the CDS view as an analytical query it will be exposed to the analytic manager
@OData.publish: true // Generates a suitable OData service, that will use the analytical query, when the CDS entity is activated
define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport // A analytical query CDS is implemented using a query select from CDS view Z00_I_FlightByAirport
// Take care with OData publishing the max. lenght is 26 characters
{
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column Airline
Z05_I_FlightByAirport.Airline, // Use the column Airline
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightConnection
Z05_I_FlightByAirport.FlightConnection, // Use the column FlightConnection
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightDate
Z05_I_FlightByAirport.FlightDate, // Use the column FlightDate
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates a mandatory filter on the values in the field AirportFrom
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportFrom
@EndUserText.label: 'Departure Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportFrom, // Use the column AirportFrom
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates an optional filter on the values in the field AirportTo
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportTo
@EndUserText.label: 'Arrival Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportTo, // Use the column AirportTo
Z05_I_FlightByAirport.Currency, // Use the column Currency
Z05_I_FlightByAirport.AircraftType, // Use the column AircraftType
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column FlightPrice
Z05_I_FlightByAirport.FlightPrice, // Use the column FlightPrice
Z05_I_FlightByAirport.MaximumNumberOfSeats, // Use the column MaximumNumberOfSeats
Z05_I_FlightByAirport.NumberOfOccupiedSeats, // Use the column NumberOfOccupiedSeats
@DefaultAggregation: #FORMULA // Important to know for formular placement is evaluation time. Inside the final query, the evaluation is done after the flightbyairport
// view aggragation, so it's not on a very detailed level or even row level, but at the aggragate level. This is important for avarages
// as they cannot be evaluated at the detail level
@EndUserText.label: 'Available Seats'
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column NumberOfAvailableSeats
Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats // this is a formular (calculated column)
} 2. Data preview for this CDS view in HANA Studio. Number of rows is 4894. It seem that CDS view analytical query is not use Cube CDS view authorization, but it is not true. You don't need to create additional access control for analytical query CDS view.
3. Check result in RSRT or BO Analysis for Excel. The results demonstrate that authorizations of Cube CDS view are used in analytical query.
Note: It is not required to create any variables in analytical query definition, like we did in BEx query with authorization characteristics.
4. Modify access control for Cube CDS view. Add field authorization object ZS_CONNID instead of ZS_CARRID.
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( FlightConnection) = aspect pfcg_auth ( ZS_CONNID,
CONNID,
actvt = '03' );
}The analytical query result is more strict (look at ZS_CONNID definition in Part II Step 4). Now number of rows is 212 in my case.
________________________________________________________________________________
Part V. UNION or INTERSECTION of authorizations
- Intersection of authorizations with "AND". New authorization ZS_FLDAT was defined for 3 days range only (04.02.2015 - 06.02.2015). DCL modification for intersection:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '03' ) AND
(FlightDate ) =
aspect pfcg_auth ( ZS_FLDAT,
FLTDATE,
actvt = '03' );
}2. Union of authorizations with "OR":
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '03' ) OR
( FlightDate ) =
aspect pfcg_auth ( ZS_FLDAT,
FLTDATE,
actvt = '03' );
}3. Two fields in one authorization object is like intersection.
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline, FlightDate) =
aspect pfcg_auth ( ZS_NEW,
CARRID,
FLTDATE,
actvt = '03' );Notes: Don't forget to define authorizations at Cube CDS view level, not analytical query level. If you define the same authorizations from Part V at analytical query level:
- In Data Preview of SAP HANA Studio the results seem to be correct
- In RSRT, BO Analysis for Excel and other tools using OLAP Engine authorizations from Cube CDS view are used (if defined).
Notes: For analytical query for results in HANA Studio data preview showed all data, to correct this create access control for analytical query:
@MappingRole: true
define role Z05_ROLE_2 {
grant select on Z05_C_FlightByAirportQuery
inherit Z05_ROLE; }Conclusion for Part V: You can define intersection or union of authorizations for Analytical CDS views.
Thank you for attention!
- SAP Managed Tags:
25 Comments
