ABAP Keyword Documentation → ABAP - Dictionary → ABAP CDS in ABAP Dictionary → ABAP CDS - Access Control → ABAP CDS - DCL Statements → ABAP CDS - DEFINE ROLE → ABAP CDS - DEFINE ROLE, condition → ABAP CDS - DEFINE ROLE, pfcg_condition
ABAP CDS - DEFINE ROLE, pfcg_mapping
Other versions:
7.31 | 7.40 | 7.54
Syntax
... ( ... { element1[, element2 ...] } ... )
=|?= ASPECT pfcg_auth
( ... PFCG_MAPPING = pfcg_mapping ... ) ...
Effect
Associates an element list specified in curly brackets { element1[, element2 ...] } with a PFCG mapping pfcg_mapping in the definition of a PFCG condition.
- The element list of the left side is a comma-separated list of one or more directly specified CDS elements of the CDS entity for which the access condition is defined. An element element can also be specified using a path expression path_expr and must have one of the valid data types.
- After PFCG_MAPPING =, the right side must specify a PFCG mapping pfcg_mapping defined using DEFINE PFCG_MAPPING as part of a CDS access policy.
When the PFCG condition is transformed into specific conditions, the PFCG mappings are handled as follows by CDS access control:
- The authorization fields specified in the comma-separated list of the definition of the PFCG mapping are used as input fields of the mapping pfcg_mapping.
- The output fields of the PFCG mapping are compared with the CDS elements of the element list associated with the PFCG mapping in the PFCG condition.
The other conditions of the PFCG condition are created as described here. The PFCG condition is true if the conditions for the individually specified CDS elements and the PFCG mapping are met. If multiple authorizations exist for a single authorization field and there are individually specified CDS elements alongside the PFCG mapping, the PFCG mapping is resolved for each individual authorization.
Notes
- PFCG mappings enable those entries in a CDS entity allowed for a particular user to be edited using high-order structural characteristics.
- Using PFCG mappings can negatively affect performance, particularly if individual CDS elements are specified simultaneously and if multiple authorizations exist for a single authorization field.
- If the PFCG condition has the addition IN SCENARIO, the PFCG mapping used in this place must also have this addition and name the same scenario.
Example
The following role uses the PFCG mapping demo_cds_pfcg_mapping defined in the example for DEFINE PFCG_MAPPING in a PFCG condition:
define role demo_cds_role_pfcg_mapping
{ grant select on demo_cds_auth_pfcg_mapping
where ( { view_object, view_obj_name, view_devclass } )
= aspect pfcg_auth
( s_develop , pfcg_mapping = demo_cds_pfcg_mapping ); }
The program DEMO_CDS_AUTH_PFCG_MAPPING accesses the view DEMO_CDS_AUTH_PFCG_MAPPING and an SQL trace demonstrates how the PFCG mapping works.