ABAP Keyword Documentation → ABAP - Dictionary → ABAP CDS in ABAP Dictionary → ABAP CDS - Access Control → ABAP CDS - DCL Statements → ABAP CDS - DEFINE ROLE → ABAP CDS - DEFINE ROLE, condition → ABAP CDS - DEFINE ROLE, pfcg_condition
ABAP CDS - DEFINE ROLE, Converting Field Values
Elements of CDS entities are associated with an authorization object in PFCG conditions in the CDS DCL. The access condition itself is generated from authorizations of the current user for the authorization object. Here, comparisons of the content of CDS elements with field values of the authorizations are created. The following points should be noted.
The field values of authorizations are saved as text fields with length 40. For comparisons, they must be convertible to the data type of the CDS elements:
- The rules for lossless assignments must be followed. If this is not possible, the field value is ignored.
- If an authorization requests a pattern comparison using a wildcard character (*), the data type of the CDS element must be character-like.
If a field value cannot be converted, the field value is ignored.
- Field values that are ignored are, for example, field values that are longer than the CDS element or field values with a non-numeric content for a numeric CDS element.
- If field values are ignored, CDS access control may block access completely.
- Ignored field values are not logged, which means that they cannot be known to the system administrator or to the user.
If a field value contains a wildcard character () as its final character, it is used to create a LIKE condition in which the wildcard character is replaced by the SQL wildcard character %.
If the field value contains the SQL wildcard characters % and , the escape character # is assigned to them implicitly. This means that CDS access control checks the characters % and in field values like regular characters.
The field value "10%*" produces the condition LIKE '10#%%' ESCAPE '#'.