ABAP Keyword Documentation → ABAP - Dictionary → ABAP CDS in ABAP Dictionary → ABAP CDS - Access Control → ABAP CDS - DCL Statements → ABAP CDS - DEFINE ROLE
ABAP CDS - DEFINE ROLE, condition
Other versions:
7.31 | 7.40 | 7.54
Syntax
... literal_condition
| pfcg_condition
| aspect_condition
| user_condition
| inherit_condition
| TRUE
| FALSE
| VOID ...
Effect
Part of an access condition cond_expr in an access rule of the statement DEFINE ROLE in CDS DCL. The following categories of conditions can be specified, which can be combined using AND or OR:
- Literal conditions literal_condition that compare an element of a CDS entity with fixed values.
- PFCG conditions pfcg_condition that associate an element of a CDS entity with authorizations in the SAP authorization concept (which are based on authorization objects).
- Generic aspects aspect_condition that join elements in a CDS entity with value sets of any other entity that can itself be addressed using the current user name as a selection condition.
- User conditions user_condition as a special case of a literal condition on whose right side the user name of the current user is used as an operand.
- Inheritance conditions inherit_condition that apply conditions from other CDS roles.
- Boolean predicates TRUE and FALSE. These conditions are either always met or not met. They are usually not needed in a role definition, but can be created implicitly in the inheritance of conditions in CDS view extensions.
- The predicate VOID. A condition with the value VOID is handled as nonexistent.
VOID conditions are not required in the definition of a role and can be created implicitly in inheritances. The following rules apply in combination with other conditions:
- X AND VOID = VOID AND X = X
- X OR VOID = VOID OR X = X
- NOT VOID = VOID
- An access rule cannot consist solely of VOID conditions.
On the left side of a condition of this type, it is possible to specify elements of the CDS entity for which the access condition is defined directly or using path expressions. The following restrictions apply:
- Only certain data types are permitted.
- Path expressions path_expr in CDS DCL have the same syntax as path expressions in CDS DDL.
The result of a condition is true or false.
Notes
- It is advisable to specify an element in a CDS entity directly in the CDS DCL and to only use path expressions in exceptional cases. More specifically, path expressions with multiple values can have a negative effect on the runtime of a query.
- The way an access condition defined in a CDS role for a CDS entity is characterized when the CDS entity is accessed using ABAP SQL can be viewed in the SQL Trace tool (transaction ST05), for example as additional general table expressions. This implementation is not fixed, however, and can change between releases. More specifically, if further conditions exist, the part condition that results from a CDS role may be reduced (or even omitted). This makes it impossible to detect the access condition in the SQL trace.
Continue
ABAP CDS - DEFINE ROLE, literal_condition
ABAP CDS - DEFINE ROLE, pfcg_condition
ABAP CDS - DEFINE ROLE, aspect_condition
ABAP CDS - DEFINE ROLE, user_condition
ABAP CDS - DEFINE ROLE, inherit_condition