ABAP Keyword Documentation → ABAP - Dictionary → ABAP CDS in ABAP Dictionary → ABAP CDS - Access Control → ABAP CDS - DCL Statements
ABAP CDS - DEFINE ROLE
Other versions:
7.31 | 7.40 | 7.54
Syntax
@MappingRole: true
[@role_annot1]
[@role_annot2]
...
[DEFINE] ROLE role_name { access_rules }
Effect
Defines a CDS role called role_name in the CDS DCL. A CDS role consists of one or more access rules access_rules specified within the curly brackets. Each access rule defines access to a CDS entity. A CDS role can contain access rules for different CDS entities. An access rule either defines an access condition for the CDS entity or grants free access. When a CDS entity of this type is accessed using ABAP SQL, an access condition is evaluated as an additional selection condition.
Before the role is defined using DEFINE ROLE, the annotation @MappingRole must be specified with the value true. The annotation @MappingRole is used to assign the CDS role to every user regardless of the client. Further optional annotations role_annot1, role_annot2, ... can also be specified.
Notes
- Every CDS role defined using DEFINE ROLE is assigned to every user implicitly, which means that the associated access control is applied to every user. User-specific checks are applied using PFCG conditions and user conditions.
- By default, when ABAP SQL is used for reads for a non-abstract CDS entity, access control is applied if a CDS role exists for the entity. The associated annotation @AccessControl.authorizationCheck has the default value #CHECK. In this case, CDS entities without assigned roles produce a syntax check warning in the DDL editor. This can be disabled using the annotation value #NOT_REQUIRED. The value #NOT_REQUIRED does not, however, disable implicit access control.
- A CDS role can be defined for a CDS entity in every package and in every system and dictates that implicit access control applies.
- Access control can be disabled for a CDS entity as follows:
- Specify the annotation @AccessControl.authorizationCheck with the value #NOT_ALLOWED in the definition of the entity. In this case, the definition of a role for the CDS entity produces a syntax check warning in the DCL editor.
- Use the addition WITH PRIVILEGED
ACCESS in the
FROMclause of an ABAP SQL query when the entity is accessed.
- Separate DCL source code must be created for each CDS role. The DCL source code of a CDS role is edited in a different editor from the DDL source code of a CDS entity (a CDS view or CDS table function) or a CDS metadata extension. The ADT documentation describes how the different types of source code are created. CDS source code can also be displayed in Repository Browser in ABAP Workbench.
Continue
ABAP CDS - DEFINE ROLE, role_annot