ABAP Keyword Documentation →  ABAP Dictionary →  ABAP CDS in ABAP Dictionary →  ABAP CDS - Authorizations →  ABAP CDS - DCL Statements →  ABAP CDS - DEFINE ROLE →  ABAP CDS - DEFINE ROLE, condition 

This functionality is not yet released and must not be used

ABAP CDS - DEFINE ROLE, condition for Assignment Roles

Other versions: 7.31 | 7.40 | 7.54

Syntax

... path_expr [operator ASPECT aspect_name] ...

Effect

Condition of the WHERE clause of the statement DEFINE ROLE in the ABAP CDS DCL for assignment roles. Such a condition consists of an attribute defined using an association with the CDS entity for which the condition is defined, in a path expression path_expr in DDL syntax. When an assignment role is assigned to a user in user administration, values are specified for the user that are valid for the attribute when the CDS entity is accessed using Open SQL.

Optionally, the attributes can be joined with an aspect aspect_name using a logical operator in a relational expression. The aspect is defined using the statement DEFINE ASPECT as part of an access policy. In this case, the default values defined in the aspect are generated when the role is assigned to a user in user administration.

If no aspect is specified, a user can use Open SQL to access the precise data in the CDS entity defined for him or her when the role was assigned. If an aspect is specified, the valid data can also be controlled by selecting the relational operator operator.

Notes

• The equals sign = is usually used for the operator too.

• Within the definition of a role, conditions for assignment roles can be combined with literal conditions, but not with conditions for mapping roles.

• The result of a path expression path_expr in DDL does not currently have quantity values. It is not possible to check whether a condition applies to all possible results. It is sufficient when the condition applies to the individual result.

• Assignment roles cannot yet be used, since there is currently no tool for assigning them to users.

Example

Example of an assignment role with a comparison with an aspect.

@EndUserText.label: 'Role to view sales orders by country'
ROLE demo_wd_by_country {
   grant SELECT on sacm_cds_snwd_so
      WHERE tocustomer.toaddress.country = ASPECT demo_by_country;}

A user assigned the role demo_wd_by_country can access all sales orders defined in the CDS entity sacm_cds_snwd_so for which the customer address is in a country defined by the aspect demo_by_country. A country specified using a DDL path expression is compared for equality with the aspect demo_by_country, which itself is defined as part of an access policy using DEFINE ASPECT:

ASPECT demo_by_country as SELECT FROM sacm_cds_snwd_ad { country }
  WHERE $User IN toemployee.login_name;

When a role is assigned to a user, Access Control Management (ACM) uses the association of the user name with the association toemployee of the field country in the view sacm_cds_snwd_ad to make an appropriate suggestion. When the CDS entity is accessed, ACM grants access to the sales orders for which the country of the customer matches the value entered by the administrator for the aspect demo_by_country.

Example

Example of an assignment role without a comparison with an aspect.

@EndUserText.label: 'Role to view sales orders by country'
ROLE demo_wd_by_prodcat {
  grant SELECT on sacm_cds_snwd_so WHERE toitems.toproduct.pd_cat; }

When the role is assigned to a user, a value or value range must be specified to determine which product categories are used to restrict the number of accessible sales orders. The user dependency is specified by the assignment between the role and the user and not, as in the previous example, by an attribute of the user.

Example

Example of an assignment role with a comparison with an aspect.

@EndUserText.label: 'Role to view SAP sales orders by country'
ROLE demo_filter_sap_country {
  grant SELECT on sacm_cds_snwd_so WHERE
  tocustomer[company_name='SAP AG'].toaddress[postal_code='69190'].country
       = ASPECT demo_by_country; }

Alongside the restriction of the role using the aspect demo_by_country, the path expression uses the association tocustomer to filter by the company name "SAP AG" and the association toaddress to filter by the postal code "69190".

Example

In some cases it is advisable to remove the aspect from the role and only filter by a fixed value, for example all sales orders with a specific postal code. This check is not dependent on the current user.

@EndUserText.label: 'Role to view SAP sales orders'
ROLE demo_filter_sap {
   grant SELECT on sacm_cds_snwd_so
   WHERE tocustomer[company_name='SAP AG'].toaddress[postal_code='69190']; }

Example

A further example of a role with a fixed value where sales orders are only displayed for customers with an address in the USA.

@EndUserText.label: 'Role to view sales orders for US customers'
ROLE ZDEMO_FILTER_SAP {
   grant SELECT on sacm_cds_snwd_so
      WHERE tocustomer.toaddress.country = 'US'; }