Access control in SAP HANA CDS views
In this Blog we will discuss access control feature provided for CDS views and how to restrict access to users depending on certain parameters/fields. This CDS view can then be used for Analytics/Reporting for example using BOBJ and utilizing the PFCG authorizations within SAP.
The following image captures a basic CDS view created with few fields from the central Simple Finance table ACDOCA. This CDS view was created using ABAP Development Tool in Eclipse. In reality this could be a very complex CDS view combining multiple views/CDS views/tables as data models and data can be restricted using CDS access control.
Here we are restricting user access to certain company codes only. After creation of the CDS view we wanted to restrict access using the new feature provided in SAP HANA, by using the Access Control feature for CDS views.
The screen shot below shows an example of how to create the access control.
We are defining a CDS role using the DCL statement DEFINE ROLE, to grant select access on the CDS view created, using a specific PFCG authorization object for display. Hence, this works in conjunction with the existing PFCG authorizations.
For example role below has the following authorizations:
This role is assigned to the users profile and restricts the data retuned by the CDS view. In this case, for example to return data for company codes N*.
It’s important to have the following annotation to restrict using DCL.
Once access control is created and enabled, only data that meets the conditions will be displayed. The generated SQL can be viewed using the log.
Above works perfect if we create ACL on CDS view .
I have few questions. Can we have additional Z ACL on standard CDS view . and can multiple roles work for base CDS view ?
Can anyone help ?