Skip to content

ABAP Keyword Documentation →  ABAP - Dictionary →  ABAP CDS in ABAP Dictionary →  ABAP CDS - Access Control →  ABAP CDS - DCL Statements 

ABAP CDS - DEFINE ROLE

Other versions: 7.31 | 7.40 | 7.54

Syntax


@MappingRole: true 
[@role_annot1]
[@role_annot2]
...
[DEFINE] ROLE role_name { access_rules }

Effect

Defines a CDS role called role_name in the CDS DCL. A CDS role consists of one or more access rules access_rules specified within the curly brackets. Each access rule defines access to a CDS entity. A CDS role can contain access rules for different CDS entities. An access rule either defines an access condition for the CDS entity or grants free access. When a CDS entity of this type is accessed using ABAP SQL, an access condition is evaluated as an additional selection condition.

Before the role is defined using DEFINE ROLE, the annotation @MappingRole must be specified with the value true. The annotation @MappingRole is used to assign the CDS role to every user regardless of the client. Further optional annotations role_annot1, role_annot2, ... can also be specified.


Notes

  • Every CDS role defined using DEFINE ROLE is assigned to every user implicitly, which means that the associated access control is applied to every user. User-specific checks are applied using PFCG conditions and user conditions.

  • By default, when ABAP SQL is used for reads for a non-abstract CDS entity, access control is applied if a CDS role exists for the entity. The associated annotation @AccessControl.authorizationCheck has the default value #CHECK. In this case, CDS entities without assigned roles produce a syntax check warning in the DDL editor. This can be disabled using the annotation value #NOT_REQUIRED. The value #NOT_REQUIRED does not, however, disable implicit access control.

  • A CDS role can be defined for a CDS entity in every package and in every system and dictates that implicit access control applies.

  • Access control can be disabled for a CDS entity as follows:

  • Specify the annotation @AccessControl.authorizationCheck with the value #NOT_ALLOWED in the definition of the entity. In this case, the definition of a role for the CDS entity produces a syntax check warning in the DCL editor.

Continue

ABAP CDS - DEFINE ROLE, role_annot

ABAP CDS - DEFINE ROLE, access_rules

ABAP CDS - DEFINE ROLE, condition