How to use CDS Access Control (Authorization Object Check in CDS Views)
In this blog post we will be seeing how we can use Access Controls in CDS Views or Authorization Objects in CDS Views.
Authorization Objects or Access Controls are used to limit users and provide users only required and needed Information based on there work profile/role.
SAP Access control in ABAP CDS restricts the data returned from a CDS entity view in ABAP CDS.
SAP Access Control provides an additional method for checking authorizations in the SAP authorization concept.
Scenario : We want to show specific Airline data to user, we will be restricting User with help of Access Control to see only data about specific Airline and not all Airlines.
Step by Step Guide to Create and Use SAP ABAP CDS Access Control
Step 1 Create Access Control
Provide name to Access Control and click on Next
There are various templates available to create Access Control. In this demo we are going to use most common used template “Define Role with PFCG”. This template needs one PFCG Role to be created and that role will be assigned to user.
Select template and click on Finish.
Once click on Finish button, we get the template created.
We have already created Role and Authorization Object in system with name ZSPFLI_AUT with Activity 03 (Display)
Step 2 Create Role and Maintain Authorization Object
Authorization Object Created
Step 3 Update AccessControl annotation to #CHECK
To allow CDS View to access Authorization Object or Access Control we need to add below line in our CDS View
Set value of authorizationCheck annotation to #CHECK. If we do not make change to this annotation to #CHECK Access Control will not be trigger
We want to apply Access Control on CDS View Z_C_MDE_SFLIGHT which returns Flight details.
Step 4 Make changes to generated Access Control Template
Now after making changes to generated template we got below Access Control completed, where we are reading data from CDS View Z_C_MDE_SFLIGHT
Step 5 Execute CDS View
We are only getting Singapore Airlines records which are based on our Access Control
If we change @AccessControl.authorizationCheck: #NOT _ALLOWED
Even if Access Control is applied on CDS View, Authorization check will not be triggered.
Again preview data, we are getting all records for all Airlines.
Advantage of using Access control:
- There is no need to modify any CDS View if we have different cases for access.
- We can easily use existing Role and Authorization Objects and no need to create new one.
- Data level restrictions can be applied along with Role based check easily.