Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to reuse access control from a released SAP CDS entity in ABAP Cloud?

Andre_Fischer
Product and Topic Expert
Product and Topic Expert
‎02-28-2024 2:14 PM

Introduction

When you want to reuse the access control settings from a released SAP CDS entity such as I_BUSINESSUSERBASIC in ABAP Cloud (e.g in SAP BTP ABAP Environment or in a software component in an SAP S/4HANA on prem or private cloud system that uses software components with ABAP Cloud) you might try the following DCL source code:

 

 

@EndUserText.label: 'Test DCL inheritence'
@MappingRole: true
define role ZI_BUSINESSUSERBASIC_NOTWORK {
grant
select
on
ZI_BUSINESSUSERBASIC
where
INHERITING CONDITIONS FROM ENTITY I_BUSINESSUSERBASIC;
}

 

 

 

This however would cause the following error message:

The use of inheritance is restricted in this language version

The reason is that the reuse of access control requires a special syntax.

the use of 2.png

 

Solution

In order to reuse the access controll settings of a base entity that has been released by SAP you have to equip your custom code entity with a [1..1] association _toBaseEntity that points back to the base entity.

 

 

 

@AccessControl.authorizationCheck: #MANDATORY
@EndUserText.label: 'test dcl inheritence'
define view entity ZI_BusinessUserBasic
as select from I_BusinessUserBasic

association [1..1] to I_BusinessUserBasic as _toBaseEntity on $projection.BusinessPartner = _toBaseEntity.BusinessPartner

{
key BusinessPartner,
BusinessPartnerUUID,
LastName,
FirstName,
PersonFullName,
FormOfAddress,
AcademicTitle,
AcademicSecondTitle,
CorrespondenceLanguage,
MiddleName,
AdditionalLastName,
BirthName,
NickName,
Initials,
LastNamePrefix,
LastNameSecondPrefix,
NameSupplement,
UserID,
IsMarkedForArchiving,
BusinessPartnerIsBlocked,
CreatedByUser,
CreationDate,
CreationTime,
LastChangedByUser,
LastChangeDate,
LastChangeTime,
IsBusinessPurposeCompleted,
AuthorizationGroup,
DataControllerSet,
DataController1,
DataController2,
DataController3,
DataController4,
DataController5,
DataController6,
DataController7,
DataController8,
DataController9,
DataController10,
/* Associations */
_BusinessPartnerExternalID,
_BusinessPartnerRole,
_User,
_WorkplaceAddress,
_toBaseEntity
}

 

 

 

In addition you have to use the following syntax in your DCL.

The statement 

 

 

 

REPLACING { ROOT WITH _toBaseEntity }

 

 

 

makes sure that inheritence will still work even if SAP would add additional authorization checks in the where clause of the DCL that protects the released base entity I_BusinessUserBasic.

Though the syntax seems to be not self explaining at a first glance it is straight forward to simply create the above mentioned [1..1] association to the based entity.

 

 

 

 

@EndUserText.label: 'Test DCL inheritence'
@MappingRole: true
define role ZACL_ZI_BUSINESSUSERBASIC {
    grant
        select
            on
                ZI_BUSINESSUSERBASIC
                    where             
                        INHERITING CONDITIONS FROM ENTITY I_BUSINESSUSERBASIC
                         REPLACING { ROOT WITH _toBaseEntity }                         
                         // AND ...    to make it more restricive                         
                         // OR ....   to widen access for additional autorizations 
                         ;
                        
}

 

 

 

Hope this helps when you run into this issue.   

 

 

 

 

 

Labels in this area
Popular Blog Posts