Skip to Content
Technical Articles

ABAP CDS – Security Considerations

Introduction:

Helping a client in the process of leveraging existing solutions, we are reviews the security approach to ABAP CDS views.

In this particular project we are using CDS Views as the Data Foundation for custom SAPUI5 Applications, and as the original security roles were based only on PFCG a new approach was necessary to make sure the security around the data access is maintainable, auditable and consistent with the existing standard authorizations.

 

Data Flow Review:

All the data exchange between the UI5 App and the Backend NW Stack is done via OData service. This OData service, by its time, executes all the Reading commands via a Data Mapping from each entity to a CDS View. This can be found in the SEGW implementation of each entity.

The CDS Views are reading ABAP External Views of HANA Modelling Views, and all the process can be described in this diagram:

 

New Access Control File:

In order to apply those guidelines, we created a new DCL file linking the view (ZCDS_VIEW_NAME) fields (auth_group and plant) to existing objects of PFCG roles, as we can observe below:

@EndUserText.label: 'Z_CDS_ROLE' 
@MappingRole: true 
define role Z_cds_role_file { 
    grant 
        select 
            on 
                ZCDS_VIEW_NAME 
                    where 
                        ( auth_group ) = aspect pfcg_auth( I_BEGRP, BEGRP,  TCD = 'IW33')
                        and ( plant) = aspect pfcg_auth( I_SWERK, SWERK,  TCD = 'IW33');
}

With this, any given user should have this objects assigned in order to have access via the Odata service. This role can be overruled in the same fashion of ABAP Authority-check’s, so a user with SAP_ALL, for example, will have access to all records in this view.

 

Impact on the Security:

Considering this Data Flow, SAP recommendations are to link the Access Control directly to the CDS Application layer, making the security to behave like below:

As we are pointing to standard objects already in use by PFCG roles, there shouldn’t be any impact on the BAU maintenance or auditability. But looking forward, this model is completely aligned with the S4HANA Best Practices.

 

Impact on the performance:

As this particular client runs on SAP HANA, performance will be increased, as the security roles will be processed in a lower and faster layer. As explain above, the NetWeaver stack replaces the ABAP OpenSQL statement adding a where clause to filter the allowed records, with decreases the I/O flow and the process flow in the NW stack when in comparison with the tradition method when all the records are retrieved from the Database and then processed one-by-one in the NW Stack.

On non-HANA Databases, I have yet to measure how it performs, would appreciate if anyone with that experience could share the results in the comments.

Cheers!

 

More information around these objects can be found on below link:

https://help.sap.com/doc/abapdocu_750_index_htm/7.50/en-US/index.htm?file=abencds_authorizations.htm

 

And more information about best practices moving towards the S4 HANA Programming Model can be found here:

https://blogs.sap.com/2017/12/07/be-prepared-for-the-new-abap-programming-model-in-sap-s4hana/

1 Comment
You must be Logged on to comment or reply to a post.