Skip to Content
There are already lots of blogs in community talking about CDS authorization concept, here I just blog what is so far not mentioned in those blogs.
For demonstration purpose I create a very simple database table ZORDER with two entries:
And a CDS view on top of it:
@AbapCatalog.sqlViewName: 'zvorder'
@AbapCatalog.compiler.compareFilter: true
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Order for authorization POC'
define view zjerry_order as select from zorder {
  key order_id, 
  order_text, 
  order_type, 
  post_date
}
In SAP help, it is documented that “If a CDS entity is specified in several access rules of a CDS role, the resulting access conditions are joined using a logical OR”.
And I create a simple authorization object ZJER_TYPE2 in tcode SU21 which contains field PR_TYPE for order type and ACTVT field with following settings:
And then create an Access Control object:
@EndUserText.label: 'Order DCL POC' 
@MappingRole: true 
define role Zjerry_Order_Dcl { 
  grant select on zjerry_order
          where ( order_type) = 
          aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = '01' )
              or ( order_type) = 
          aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = '03' );
}
Create a new PFCG role ZJER_AUTH_TEST3 with ACTVT = 01,02 and PR_TYPE = SRVO:
I use this combination to ensure that the statement before the OR operator will pass ( aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = ’01’ ) ) while the statement after OR will fail ( aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = ’03’ ).
And then assign this PFCG role to my user:
This means from semantic perspective that “it is expected that user WANGJER can only have access to order with process type SRVO“.
Now all preparation is ready. Execute this simple SQL:
SELECT * INTO TABLE @DATA(lt_data) FROM zjerry_order.
Only 1 record with type SRVO is returned, working as expected. But why? How does it work?
Use tcode stauthtrace to perform a trace:
The trace result shows that the evaluation for first statement before OR is done successfully, and the statement after Or fails. According to SAP help, the whole result is still true( true OR false = true ).
What magic thing has happened when the OPEN SQL is executed? Why the record with order type OPPT is automatically filtered out?
Perform a SQL trace with tcode ST05, display execution plan via menu below:
You can find there is a fragment of WHERE statement automatically added. The value for ORDER_TYPE comes from the value of authorization object field PR_TYPE which is mapped to CDS view field ORDER_TYPE in my DCL object.
This behavior is consistent with what is documented in SAP help:
When Open SQL is used to access a CDS entity and an access rule is defined in a role for this entity, the access conditions are evaluated implicitly and their selection restricted so that in SELECT reads, the access condition is added to the selection condition of the statement passed from the database interface to the database using a logical “and”.

Two DCL objects defined on the same CDS view

Again the SAP help said “If a CDS entity is specified in multiple CDS roles, the resulting access conditions are joined using a logical OR”.
Let’s create a new PFCG role ZJER_AUTH_TEST4 which only grants display authorization on order type OPPT.
@EndUserText.label: 'display authorization on OPPT' 
@MappingRole: true 
define role Zjerry_Order_Dcl2 { 
  grant select on zjerry_order
          where ( order_type) = 
          aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = '03');
}
Execute the SQL once again under trace mode:
Still one record with type SRVO is returned.
The corresponding automatically appended where statement: since the PFCF role ZJER_AUTH_TEST4 is NOT assigned to my user WANGJER, so when the open SQL is performed on the view, NO corresponding where statement for order type OPPT defined in that PFCG role is appended.
To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Scott Zheng

    Hi Jerry,

    Really appreciate your efforts for this wonderful blog, it is really helpful for the CDS learner, just like me. 🙂

    For the second example, I am a little confused. I think order type OPPT and SRVO should both be displayed

    Because in role ZJER_AUTH_TEST4, ACTVT = ’03 – Display’, Ord_type = ‘OPPT’ is maintained.

     

    And in DCL Zjerry_Order_Dcl & Zjerry_Order_Dcl2 , ACTVT = ’03’ is also checked, and Ord_ Type is transfered. I don’t understand why Ord_type ‘OPPT’ was not in the Where Clause. Only ‘SRVO’ is transferred.

     

    Hope my question is clear and looking forward to your reply.

     

    Scott Zheng

    Best Regards

     

    (0) 
    1. Jerry Wang Post author

      Hello Scott,

      Thanks a lot for reading, I am also a beginner of CDS view as well. Per my observation, the automatic statement append will only occur until the PFCG role is assigned to the user who performs the SQL statement. In my example I only assign the PFCG role ZJER_AUTH_TEST3 which defines the limitation on order type SRVO. The role ZJER_AUTH_TEST4 for OPPT is not assigned to my user, which will finally lead to the behavior you have observed.

      Best regards,

      Jerry

      (1) 
      1. Scott Zheng

        Hi Jerry,

         

        Then my question is answered. Really appreciate your effort. Looking forward to your next blog.

         

        Thanks and have a nice day. 🙂

        (0) 
  2. hcl inc

    Hi Jerry ,

    Amazing stuff .  Appreciate your effort for summarizing CDS stuff at one place , really helpful for me

    Amit .

     

    (0) 

Leave a Reply