ABAP CDS - Access Control
ABAP CDS enables access control based on a data control language (CDS DCL). Access control in ABAP CDS further restricts the data returned from a non-abstract CDS entity in ABAP CDS. CDS access control is based on the following aspects:
- CDS roles defined using the CDS DCL statement DEFINE ROLE. A CDS role is not assigned to individual users and is evaluated for every user instead.
- Access rules defined for CDS entities in a CDS role. Access rules can define conditions, but also provide free access. In a CDS role, access rules can be inherited from another rule.
- Access conditions defined in an access rule for the elements of CDS entities. Access conditions are based primarily on literal values, on classic authorizations of the current users, or on data from other CDS entities defined by a selection with the current user (generic aspects).
If a CDS role with access rules is defined for a non-abstract CDS entity, the access conditions are evaluated implicitly in each
ABAP SQL read, unless access
control is switched off using the value #NOT_ALLOWED for the annotation @AccessControl.authorizationCheck or using the addition
WITH PRIVILEGED ACCESS in the
FROM clause of an ABAP SQL query. If access control is enabled, only that data is read that meets the access conditions.
Every CDS role is defined in its own separate piece of DCL source code. These pieces of DCL source code can only be edited in the ABAP Development Tools (ADT). DCL source code can also be displayed in Repository Browser in ABAP Workbench. The DCL source code of a CDS role is edited in a different editor than DDL, DDLA, and DDLX source code. The ADT documentation describes how the different types of source code are created.
7.31 | 7.40 | 7.54
- CDS access control provides an additional method for checking authorizations in the
SAP authorization concept. Authorizations in the SAP authorization concept are based on
authorization objects and are granted in the classic role editor
(transaction PFCG). In classic authorization checks, the authorizations
are either checked implicitly (such as when transactions are called) or explicitly using the statement
AUTHORITY-CHECK. CDS access control expands these checks to include implicit evaluations of access conditions.
- It is advisable to continue to use classic authorization checks for start authorizations (used to check whether a user can start an application in the first place). CDS access control can be used within an application to perform authorization checks (used to check the authorization of a user as defined by the data model and the data in question).
- When CDS entities are accessed using ABAP SQL, ABAP programs cannot distinguish whether data is not read because it does not exist or because they are not allowed by CDS access control.
- CDS roles can be defined for CDS views, CDS hierarchies, transactional CDS projection views, and CDS table functions. Implicit access control is applied only when a CDS entity of the is type is accessed directly using ABAP SQL.
- When a CDS entity used as a data source in different CDS entities is accessed indirectly, no implicit access control is applied. This means the methods and CDS roles used to access CDS entities should be planned carefully when modeling an application. For example, access to CDS entities without associated CDS role can be wrapped in CDS views with associated roles.
- CDS access control does not work for cross-client access. This is why in ABAP SQL, the addition
USINGor the obsolete addition
CLIENT SPECIFIEDcan only be used when accessing CDS entities where access control is disabled.
- Access control can be switched off in the following ways:
- If access control is not applicable in general (for example because the unit in question is a technical unit), the annotation @AccessControl.authorizationCheck with the value #NOT_ALLOWED can be specified in its CDS data definition.
- If access control is not applicable only in specific places, the addition
WITH PRIVILEGED ACCESScan be used in the
FROMclause of an ABAP SQL query.
- Access control can be disabled for an entity (without making modifications) by creating a full access rule for the entity in a customer CDS role.
- A CDS entity can also be wrapped in another CDS entity for which access control is disabled.