Skip to content

ABAP Keyword Documentation →  ABAP Dictionary →  ABAP CDS in ABAP Dictionary 

This functionality is not yet released and must not be used

ABAP CDS - Authorizations

ABAP CDS has its own authorization concept based on a data control language (DCL). The ABAP CDS authorization concept makes it possible to check the authorization of a user for the CDS entities of the ABAP CDS, as specified by the underlying data model. The only type of entity that can currently be checked in this way are the entities of CDS views.

The CDS authorization concept exists alongside the classic authorization concept and can be used independently or in combination with the classic concept. The classic authorization concept is based on authorization objects. The authorizations are either checked implicitly (such as when transactions are called) or explicitly using the statement AUTHORITY-CHECK.

The CDS authorization concept is based on implicit authorization checks performed when a CDS entity is accessed using Open SQL. The following objects can be defined here:

  • CDS roles
A CDS role is defined in separate CDS source code for a CDS entity using the DCL statement DEFINE ROLE. If a CDS role is defined for a CDS entity, the following is checked when the CDS entity is accessed using Open SQL:
  • Whether the CDS role is assigned to the current user.
  • Whether the current user has the required authorizations.
If the first prerequisite is not met, SELECT does not read any data. If the first prerequisite is met, only that data is read for which an authorization exists.
There are two types of CDS role, defined using an annotation:
  • Mapping roles map CDS entities to classic authorization objects and are assigned to every user implicitly.
  • Assignment roles are defined on the basis of the CDS data model. They enable checks called instance-based authorization checks that are based on the current data. Assignment roles must be assigned to a user explicitly by the user administrator (which is not currently possible).
  • CDS aspects in CDS access policies
The DCL statement DEFINE ASPECT is used to define a CDS aspect as part of a CDS access policy (itself defined using DEFINE ACCESSPOLICY) in its CDS source code. An aspect represents a variant of a view of the data in the data model that associates user names with permitted values. The definition of an aspect creates a rule for this view. In the definition of assignment roles, aspects can be specified as comparison values for a value in the data model. The authorization check compares this value with the value of the aspect for the current user. The value of the aspect is defined when an assignment role is assigned to a user. Here, a SELECT statement can be specified for a default value in the definition of the aspect. Aspects and access policies are not currently implemented, since there is no tool available for assigning assignment roles.

CDS roles and CDS access policies are defined in separate CDS source code. This CDS source code can only be edited in the ABAP Development Tools (ADT). When activated, the CDS roles and aspects are characterized as global internal objects in ABAP Dictionary, which can be accessed by Open SQL statements in all programs.

Other versions: 7.31 | 7.40 | 7.54


Notes

  • It is advisable to continue to use the classic authorization concept for start authorizations (used to check whether a user can start an application in the first place). The CDS authorization concept can be used within an application to perform instance-based authorization checks (used to check the authorization of a user as defined by the data model and the data in question).

  • When CDS entities are accessed using Open SQL, ABAP programs cannot distinguish whether data is not read because it does not exist or because a CDS authorization is missing.

  • The CDS source code of a CDS role or a CDS access policy is edited in a different editor from the CDS source code of CDS view. The ADT documentation describes how the different types of source code are created.


Example

An access condition can be defined for a CDS view of sales orders to allow users to display sales orders for companies located in a specific country only. Here, the country can be associated with the user master record of the current user using an aspect and extracted from the record as a default value.

Continue

ABAP CDS - DCL Statements