SAP NetWeaver AS ABAP Release 750, ©Copyright 2016 SAP AG. All rights reserved.
ABAP - Keyword Documentation →
ABAP - Dictionary →
ABAP CDS in ABAP Dictionary →
ABAP CDS - Access Control
ABAP CDS enables access control based on a data control language (DCL). Access control in ABAP CDS further restricts the data returned from a
CDS entity in ABAP CDS. CDS access control is based on the following:
If a CDS role is defined for a CDS entity, the access conditions are evaluated implicitly each time an object is accessed using
Open SQL or using an
SADL query (unless access control
is disabled using the value #NOT_ALLOWED for the annotation
@AccessControl.authorizationCheck. If access control is enabled, only that data is read that meets the access conditions.
Each CDS role is defined a separate piece of CDS source code. This CDS source code can only be edited in the
ABAP Development Tools (ADT). When
activated, the CDS role is characterized as a global internal object in ABAP Dictionary. The CDS source code of a CDS role is edited in a different editor from the CDS source code of a
(CDS view or
CDS table function). The
ADT documentation describes how the different types of source code are created.
- CDS access control provides an additional method for checking authorizations in the
SAP authorization concept. Authorizations in the SAP authorization concept are based on
authorization objects and are granted in the classic role editor
(transaction PFCG). In classic authorization checks, the authorizations
are either checked implicitly (such as when transactions are called) or explicitly using the statement
AUTHORITY-CHECK. CDS access control expands these checks to include implicit evaluations of
- It is advisable to continue to use classic authorization checks for start authorizations (used to
check whether a user can start an application in the first place). CDS access control can be used within
an application to perform instance-based authorization checks (used to check the authorization of a user as defined by the data model and the data in question).
- When CDS entities are accessed using Open SQL, ABAP programs cannot distinguish whether data is not read because it does not exist or because they are not allowed by CDS access control.
- Currently, CDS roles can only be defined for CDS views and not for
CDS table functions.
Implicit access control only takes place when a CDS view is accessed directly using Open SQL or using
an SADL query. When CDS views used as data sources in different CDS entities are accessed indirectly,
no implicit access control takes place. This means the methods and CDS roles used to access CDS entities
should be planned carefully when modeling an application. For example, accesses made on CDS entities without associated CDS role can be wrapped in CDS views with associated roles.
ABAP CDS - DCL Statements
- ABAP CDS does not currently support
assignment roles, a category of role based on the CDS data model that needs to be assigned to users explicitly by the user administrator.