Skip to content

ABAP Keyword Documentation →  ABAP Dictionary →  ABAP CDS in ABAP Dictionary →  ABAP CDS - Authorizations →  ABAP CDS - DCL Statements →  ABAP CDS - DEFINE ROLE →  ABAP CDS - DEFINE ROLE, condition 

This functionality is not yet released and must not be used

ABAP CDS - DEFINE ROLE, condition for Mapping Roles

Other versions: 7.31 | 7.40 | 7.54


... ( entity_field1 [, entity_field2 ...] ) = 
        ASPECT pfcg_auth
          ( object, mapped_field1 [, mapped_field2 ...]
              [, auth_field1 = 'value' [, auth_field2= 'value' ...]] ) ...


Condition of the WHERE clause of the statement DEFINE ROLE in the ABAP CDS DCL for mapping roles. A condition of this type consists of CDS fields of the CDS entity matched with a predefined aspect pfcg_auth using =. This aspect is mapped to a classic authorization object.

  • The CDS fields entity_field1, entity_field2, ... are specified in a comma-separated list in parentheses.
  • Information about the classic authorization object assigned to the current role must be specified in a parenthesized common-separated list after the predefined aspect pfcg_auth of an assignment role.
  • The name of the authorization object is defined in object.
  • mapped_field1, mapped_field2 are used to specify the names of the authorization fields of the authorization object that are mapped to the CDS fields in the specified order. The number of CDS fields must match the number of authorization fields.
  • Further optional authorization fields auth_field1, auth_field2 of the authorization object can be specified to which constant values can be mapped using =.

When an object is accessed using Open SQL, the condition checks the classic authorization of the current user automatically for the authorization object in question.


Within the definition of a role, conditions for mapping roles can be combined with literal conditions, but not with conditions for assignment roles.


The role demo_documents is defined as a mapping role using the annotation @MappingRole. The CDS fields targetLang and textType are mapped to the authorization fields TLANGUAGE and TRANOBJ of the classic authorization object S_TRANSLAT. The current user can access the data records of the CDS entity demo_translation for which he or she has the appropriate authorization for the authorization object. The user must also have authorization for the activity 02 of the authorization object.

@EndUserText.label: 'Role to view translation objects by language'
@MappingRole: 'true'
ROLE demo_documents {
   grant SELECT on demo_translation
      WHERE ( targetLang, textType ) = ASPECT pfcg_auth


The following mapping role associates the CDS view demo_cds_auth_pfcg with the authorization object S_CARRID.

@MappingRole: true
define role demo_cds_role {
  grant select on demo_cds_auth_pfcg
  where (carrid) =
  aspect pfcg_auth (s_carrid, carrid, actvt='01'); }

The CDS view is as follows:

@AbapCatalog.sqlViewName: 'DEMO_CDS_PFCG'
define view demo_cds_auth_pfcg    
as select from scarr { * };

The program DEMO_CDS_AUTH_PFCG accesses the view. The SELECT statement reads only the data for which the current user has authorization.