ABAP Keyword Documentation → ABAP Dictionary → ABAP CDS in ABAP Dictionary → ABAP CDS - Authorizations → ABAP CDS - DCL Statements
This functionality is not yet released and must not be used
ABAP CDS - DEFINE ROLE
Other versions:
7.31 | 7.40 | 7.54
Syntax
[@EndUserText.label: '...']
[@MappingRole: true|false]
[@role_annot1]
[@role_annot2]
...
[DEFINE] ROLE role_name {
GRANT SELECT ON cds_entity [WHERE condition [AND|OR
condition] ...];
[GRANT SELECT ON cds_entity ...;]
... }
Effect
In CDS source code, defines a CDS role called role_name that specifies how CDS entities are accessed. Optional annotations can be specified before the actual definition of the role in DEFINE ROLE:
- The annotation @EndUserText.label makes it possible to create a short description of the role.
- The annotation @MappingRole is used to specify whether the role is a mapping role or an assignment role.
- Self-defined annotations @role_annot1, @role_annot2, ... can be used to enrich the role with custom information.
A CDS role associates one or more CDS
entities cds_entity with user-specific access conditions
condition in rules introduced using GRANT SELECT ON. Currently, CDS entities of
CDS views defined using
DEFINE VIEW can be specified for cds_entity.
If a CDS entity is specified in the definition of a role, the access condition is checked implicitly
if the CDS entity is accessed using Open SQL. In SELECT
reads, conditions are added to this statement implicitly here that restrict the results set to the entries
that meet the access condition for the current user. If the current user does not have an assigned role, no data is read.
At least one rule introduced using GRANT SELECT ON must be specified within the curly brackets. Multiple rules are separated using a semicolon (;). Each rule defines how the specified CDS entity cds_entity is compared with user-specific values when the entity is accessed using Open SQL with the aim of preventing access to all values for which there is no authorization. The various rules of a role are joined using a logical "or".
The rules are defined using an optional WHERE clause.. If no WHERE clause is specified, any user to which the role is assigned has unrestricted access to the CDS entity. The condition of each WHERE clause can consist of subconditions condition joined using the operators AND or OR. Here, AND is a stronger join than OR. Subconditions can be placed in parentheses, ( ), explicitly.
The conditions condition of the WHERE clauses are determined by the type of role in question. There are two types of roles:
- Mapping roles that map CDS entities to classic authorizations.
- Assignment roles based on the CDS data model
Notes
- The WHERE clause of the DCL provides options that are not supported by the DDL:
- Mapping roles have proprietary syntax.
- Assignment roles support a syntax that would be incomplete in the DDL.
- Separate CDS source code must be created for each CDS role. The CDS source code in a CDS role is edited in a different editor from the CDS source code of CDS view. The ADT documentation describes how the different types of source code are created.
Example
The following assignment role demo_role grants unrestricted access to the entity sacm_cds_snwd_so of a CDS view. Any user to which this role is assigned has unrestricted access to this view.
EndUserText.label: 'Role to view sales orders'
ROLE demo_role {
GRANT SELECT ON sacm_cds_snwd_so; }