Skip to content

ABAP Keyword Documentation →  ABAP - Dictionary →  ABAP CDS in ABAP Dictionary →  ABAP CDS - Access Control →  ABAP CDS - DCL Statements →  ABAP CDS - DEFINE ROLE →  ABAP CDS - DEFINE ROLE, access_rules 

ABAP CDS - DEFINE ROLE, inherited_rule (obsolete)

Other versions: 7.31 | 7.40 | 7.54

Obsolete Syntax

GRANT SELECT ON cds_entity INHERIT parent_role [AND|OR cond_expr] ...;

Effect

Obsolete inherited access rule in the statement DEFINE ROLE in the CDS DCL. An inherited access rule GRANT SELECT ON with the addition INHERIT inherits the access rules of an existing CDS role parent_role for a CDS entity cds_entity. If cds_entity is specified, the same applies as for a conditional access rule.

As an option, the inherited access rule can be given dedicated access conditions cond_expr using AND or OR. A CDS role can only contain one inherited access rule, but can contain additional conditional or full access rules. The existing CDS role parent_role can only contain a single access rule for exactly one CDS entity, which itself can be an inherited access rule.

The inherited access conditions inherited from parent_role must match the CDS entity cds_entity. Full access rules cannot be inherited.


Notes

  • There is currently no check to determine whether the CDS entity cds_entity contains as a data source the CDS entity for which the role parent_role is defined.

  • Changes to the CDS entity for which the role parent_role is defined can lead to errors in the inheriting roles.

Example

This example demonstrates how an obsolete inherited access rules is used. The example for inheritance conditions how access conditions should be applied instead.

The following CDS view uses the CDS view DEMO_CDS_AUTH_LIT_PFCG from the example for conditional access rules as the data source:

@AbapCatalog.sqlViewName: 'DEMO_CDS_INH_OBS'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_inh_obs
  as select from
    demo_cds_auth_lit_pfcg
    {
      key carrid,
          carrname,
          currcode,
          url
    };

The view DEMO_CDS_AUTH_LIT_PFCG is assigned to the CDS role DEMO_CDS_ROLE_LIT_PFCG. This role is inherited in the following CDS role and hence passes its access rules to the view DEMO_CDS_AUTH_INH_OBS. An additional literal condition allows access to another currency.

@MappingRole: true
define role demo_cds_role_inh_obs {
  grant select on demo_cds_auth_inh_obs
               inherit demo_cds_role_lit_pfcg or currcode = 'USD'; }

The language element INHERIT inherits the access conditions of the existing role and combines them with the additional condition. Expressed explicitly, the resulting access condition looks like this:

... where (carrid) =
       aspect pfcg_auth (s_carrid, carrid, actvt='03') and
              currcode = 'EUR' or
              currcode = 'USD' ...