Skip to content

ABAP Keyword Documentation →  ABAP Dictionary →  ABAP CDS in ABAP Dictionary →  ABAP CDS - Authorizations →  ABAP CDS - DCL Statements 

This functionality is not yet released and must not be used


Other versions: 7.31 | 7.40 | 7.54


[@EndUserText.label: '...'] 
[@MappingRole: true|false]
[DEFINE] ROLE role_name {
   GRANT SELECT ON cds_entity [WHERE condition [AND|OR condition] ...];
  [GRANT SELECT ON cds_entity ...;]
    ... }


In CDS source code, defines a CDS role called role_name that specifies how CDS entities are accessed. Optional annotations can be specified before the actual definition of the role in DEFINE ROLE:

  • The annotation @EndUserText.label makes it possible to create a short description of the role.

A CDS role associates one or more CDS entities cds_entity with user-specific access conditions condition in rules introduced using GRANT SELECT ON. Currently, CDS entities of CDS views defined using DEFINE VIEW can be specified for cds_entity. If a CDS entity is specified in the definition of a role, the access condition is checked implicitly if the CDS entity is accessed using Open SQL. In SELECT reads, conditions are added to this statement implicitly here that restrict the results set to the entries that meet the access condition for the current user. If the current user does not have an assigned role, no data is read.

At least one rule introduced using GRANT SELECT ON must be specified within the curly brackets. Multiple rules are separated using a semicolon (;). Each rule defines how the specified CDS entity cds_entity is compared with user-specific values when the entity is accessed using Open SQL with the aim of preventing access to all values for which there is no authorization. The various rules of a role are joined using a logical "or".

The rules are defined using an optional WHERE clause.. If no WHERE clause is specified, any user to which the role is assigned has unrestricted access to the CDS entity. The condition of each WHERE clause can consist of subconditions condition joined using the operators AND or OR. Here, AND is a stronger join than OR. Subconditions can be placed in parentheses, ( ), explicitly.

The conditions condition of the WHERE clauses are determined by the type of role in question. There are two types of roles:

A mapping role is defined by specifying the value true for the annotation @MappingRole. It maps authorization-relevant attributes of CDS to the classic authorization objects in AS ABAP. Mapping roles enable the user administrator to reuse any classic authorization assigned to a user. A mapping role is assigned to every user automatically, independently of the client. The CDS authorizations of the user are then determined by the classic roles of the user.
  • Assignment roles based on the CDS data model
An assignment role is defined by specifying the default value false for the annotation @MappingRole. The role can be constructed in full in the CDS data model. Unlike mapping roles, CDS roles are dependent on the data defined by the user administrator when the role is assigned to a user. Currently, however, SAP does not provide a tool for assigning an assignment role to users.


  • The WHERE clause of the DCL provides options that are not supported by the DDL:

  • Mapping roles have proprietary syntax.

  • Assignment roles support a syntax that would be incomplete in the DDL.

  • Separate CDS source code must be created for each CDS role. The CDS source code in a CDS role is edited in a different editor from the CDS source code of CDS view. The ADT documentation describes how the different types of source code are created.


The following assignment role demo_role grants unrestricted access to the entity sacm_cds_snwd_so of a CDS view. Any user to which this role is assigned has unrestricted access to this view.

EndUserText.label: 'Role to view sales orders'
ROLE demo_role {
   GRANT SELECT ON sacm_cds_snwd_so; }


ABAP CDS - DEFINE ROLE, role_annot