Skip to content

ABAP Keyword Documentation →  ABAP - Dictionary →  ABAP CDS in ABAP Dictionary →  ABAP CDS - Access Control →  ABAP CDS - DCL Statements →  ABAP CDS - DEFINE ROLE →  ABAP CDS - DEFINE ROLE, access_rules 

ABAP CDS - DEFINE ROLE, conditional_rule

Other versions: 7.31 | 7.40 | 7.54

Syntax


GRANT SELECT ON cds_entity 
    [COMBINATION MODE OR | COMBINATION MODE AND | REDEFINITION]
    WHERE cond_expr;

Effect

Conditional access rule in the statement DEFINE ROLE of the CDS DCL. A conditional access rule GRANT SELECT ON with the addition WHERE restricts access to a CDS entity cds_entity using access conditions cond_expr.

A single CDS entity can be specified in multiple access rules of a CDS role and multiple CDS roles can contain access rules for a single CDS entity.

If a CDS entity is specified in multiple access rules of a CDS role or in multiple CDS roles, the resulting access conditions are joined using the method specified by the addition COMBINATION MODE.

Addition 1

... WHERE

A WHERE clause is used to define an access condition cond_expr for the CDS entity cds_entity. When a CDS entity is accessed using ABAP SQL, and an access rule is configured for this entity in a role, the access conditions are evaluated implicitly. This means their selection is restricted accordingly and hence any SELECT reads use a logical "and" to add the access condition to the select condition of the statement passed to the database by the database interface.

Addition 2

... COMBINATION MODE AND|OR

The optional addition COMBINATION MODE AND|OR can be used to define how the access conditions of multiple access rules for the same CDS entity cds_entity are combined. This addition can be applied regardless of whether other access rules already exist for the CDS entity.

COMBINATION MODE OR is used to join the access conditions using the logical operator "or". If created, these access rules make the restrictions less strong.

COMBINATION MODE AND combines the current access rule with the logical operator "and” and the other access rules. This means the restrictions are made stronger.

If multiple access rules with the combination methods "AND" (cond_and_1, cond_and_2, ...), and "OR" (cond_or_1, cond_or_2, ...) exist, the following expression produces the full condition:

( cond_or_1 OR cond_or_2 OR ... ) AND cond_and_1 AND cond_and_2 AND ...

A full access rule overrides the construction above, however, and produces a full access rule as the end result, even if there are rules with the mode COMBINATION MODE AND.

The following applies to the addition COMBINATION MODE OR:

  • The addition COMBINATION MODE OR does not need to be specified explicitly. If there are multiple access rules for a CDS entity, they are joined implicitly using the logical operator "or". For reasons of consistency, however, the addition COMBINATION MODE OR is recommended.
  • Any existing access controls without the explicit addition COMBINATION MODE OR are valid.

Addition 3

... REDEFINITION

The optional addition REDEFINITION is used to indicate that the access rule in question is the only existing access rule for the CDS entity and any other access rules are ignored. The addition makes it possible for customers and partners to replace all access rules delivered by SAP for CDS entity with their own access rules without making modifications. The language element INHERITING CONDITIONS FROM SUPER can, however, be used to incorporate conditions delivered by SAP in customer or partner access rules.

The following applies to the addition REDEFINITION:

  • This addition can be used in customer systems only. SAP does not deliver access rules of this type.
  • The addition can also be applied if there are no other access rules for an entity. It ensures that the conditions defined here are not disabled by any later access rules.
  • The addition can be used for a maximum of one access rule for a CDS entity. If used more than once, an activation error or import error occurs.
  • This addition also disables existing full access rules for a CDS entity. SAP does not deliver full access rules, which means that this statement applies only to customer full access rules that are themselves overridden by customer REDEFINITION rules.


Note

No abstract CDS entities can be specified for cds_entity.


Example

The following CDS role defines an access condition for the CDS view demo_cds_auth_lit_pfcg in an access rule. Both a PFCG condition for the authorization object S_CARRID and a literal condition for the currency field are specified.

@MappingRole: true
define role demo_cds_role_lit_pfcg {
  grant select on demo_cds_auth_lit_pfcg
  where (carrid) =
  aspect pfcg_auth (s_carrid, carrid, actvt='03') and
         currcode = 'EUR'; }

The CDS view is as follows:

@AbapCatalog.sqlViewName: 'DEMO_CDS_LITPFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_lit_pfcg
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};    

The program DEMO_CDS_AUTH_LIT_PFCG uses SELECT to access the view. CDS access control limits selections to that data for which the current user has an authorization (in the classic role editor in transaction PFCG) and that meets the literal condition.

Continue

ABAP CDS - DEFINE ROLE, cond_expr