Skip to content

ABAP Keyword Documentation →  ABAP - Dictionary →  ABAP CDS in ABAP Dictionary →  ABAP CDS - Access Control →  ABAP CDS - DCL Statements →  ABAP CDS - DEFINE ACCESSPOLICY 

ABAP CDS - DEFINE PFCG_MAPPING

Other versions: 7.31 | 7.40 | 7.54

Syntax


[pfcg_mapping_annot] 
[DEFINE] PFCG_MAPPING pfcg_mapping(output1[, output2 ...])
  BETWEEN mapping_entity AND auth_object [IN SCENARIO scenario_name]
  { input1 = auth_field1 [CONSTRAINT ID][,
    input2 = auth_field2 [CONSTRAINT ID] ... ] }

Effect

Defines a PFCG mapping pfcg_mapping as part of a CDS access policy defined using DEFINE ACCESSPOLICY. The name of the PFCG mapping must match the name of the CDS access policy.

The definition of a PCFG mapping contains the following:

  • A comma-separated list after the name pfcg_mapping in which the output fields of the PFCG mapping are defined. These fields must be elements of the CDS entity mapping_entity specified after BETWEEN. The specified order applies.
  • A CDS entity mapping_entity specified after the keyword BETWEEN to define the fields used in the mapping. This definition specifies the input and output fields of the mapping.
  • An authorization object auth_object specified after the keyword AND. The PFCG mapping can be used in precisely those PFCG conditions in which this authorization object is specified after ASPECT pfcg_auth.
  • A comma-separated unordered list in curly brackets that associates the input fields input1, input2, ... of the mapping with authorization fields auth_field of the authorization object auth_object.
  • The input fields on the left sides must be elements of the CDS entity mapping_entity specified after BETWEEN.
  • Authorization fields of the authorization object auth_object must be specified on the right sides.
  • Any number of optional assignments can be flagged using the addition CONSTRAINT ID.

A PFCG mapping can be used in a PFCG condition of the same authorization object. It is transformed to specific access conditions as follows when the condition is evaluated:

  • The values of the current user for the authorization fields assigned to the input fields fill the input fields of the mapping.
  • The output fields of the mapping are assigned to the elements within the curly brackets of the PFCG condition in the specified order.
  • The following applies to the input fields flagged with CONSTRAINT ID:
  • Only those authorization fields of the authorization object can be assigned that contain a single value in a specific authorization. Multiple values or patterns are not allowed (with the exception of full authorization using the value "*"). Otherwise the PFCG mapping in the PFCG condition returns the value "false" for the authorization in question.
  • Full authorization can be assigned only when applied to all input fields of the PFCG mapping.
  • If full authorization exists for all input fields of the PFCG mapping (value "*"), the PFCG mapping in the PFCG condition returns the value "true" when evaluated. This makes it possible to read entries of the protected entity for which there are no output fields in the mapping.

Addition

... IN SCENARIO

To use a PFCG mapping in a PFCG condition where the authorization object is subject to the switchable authorization check, the PFCG mapping must also name the same scenario (as well as the same authorization object). For more information, see the PFCG condition of the statement DEFINE ROLE.


Note

In ABAP SQL access to a CDS entity assigned a role of this type, PFCG mappings are defined internally using a subquery after EXISTS. This can be seen in an SQL trace.


Example

The following example shows the definition of a PFCG mapping demo_cds_auth_pfcg_mapping based on the CDS entity demo_cds_mapping_entity below. The output fields of the PFCG mapping are the authorization fields OBJECT, OBJ_NAME, and DEVCLASS of the authorization object S_DEVELOP. The input fields of the PFCG mapping are the elements of the CDS entity to which the output fields are assigned. The example that demonstrates how a PFCG mapping is specified in a role shows how the mapping is used.

  • PFCG Mapping
define accesspolicy demo_cds_pfcg_mapping  {
  define pfcg_mapping demo_cds_pfcg_mapping( map_object,  
                                             map_obj_name,  
                                             map_devclass )
    between demo_cds_mapping_entity
      and S_DEVELOP
      { map_devclass = devclass,
        map_object   = objtype,
        map_obj_name = objname } }
  • CDS Entity
@AbapCatalog.sqlViewName: 'DEMOCDSMAPPENT'
define view demo_cds_mapping_entity
  as select from
    tadir
    {
      devclass as map_devclass,
      object   as map_object,
      obj_name as map_obj_name
    }
    where
          devclass =    'SABAPDEMOS'
      and object   =    'PROG'
      and obj_name like 'DEMO%'

Continue

ABAP CDS - DEFINE PFCG_MAPPING, pfcg_mapping_annot