This functionality is not yet released and must not be used
ABAP CDS - Authorizations
ABAP CDS has its own authorization concept based on a data control language (DCL). The ABAP CDS authorization concept makes it possible to check the authorization of a user for the CDS entities of the ABAP CDS, as specified by the underlying data model. The only type of entity that can currently be checked in this way are the entities of CDS views.
The CDS authorization concept exists alongside the classic
authorization concept and can be used independently or in combination with the classic concept. The classic authorization concept is based on
The authorizations are either checked implicitly (such as when transactions are called) or explicitly
using the statement
- CDS roles
- Whether the CDS role is assigned to the current user.
- Whether the current user has the required authorizations.
SELECTdoes not read any data. If the first prerequisite is met, only that data is read for which an authorization exists.
- Mapping roles map CDS entities to classic authorization objects and are assigned to every user implicitly.
- Assignment roles are defined on the basis of the CDS data model. They enable checks called instance-based authorization checks that are based on the current data. Assignment roles must be assigned to a user explicitly by the user administrator (which is not currently possible).
- CDS aspects in CDS access policies
CDS roles and CDS access policies are defined in separate CDS source code. This CDS source code can only be edited in the ABAP Development Tools (ADT). When activated, the CDS roles and aspects are characterized as global internal objects in ABAP Dictionary, which can be accessed by Open SQL statements in all programs.
7.31 | 7.40 | 7.54
- It is advisable to continue to use the classic authorization concept for start authorizations (used to check whether a user can start an application in the first place). The CDS authorization concept can be used within an application to perform instance-based authorization checks (used to check the authorization of a user as defined by the data model and the data in question).
- When CDS entities are accessed using Open SQL, ABAP programs cannot distinguish whether data is not read because it does not exist or because a CDS authorization is missing.
An access condition can be defined for a CDS view of sales orders to allow users to display sales orders for companies located in a specific country only. Here, the country can be associated with the user master record of the current user using an aspect and extracted from the record as a default value.