ABAP CDS enables access control based on a data control language (CDS DCL). Access control in ABAP CDS further restricts the data returned from a
CDS entity in ABAP CDS. CDS access control is based on the following:
CDS roles defined using
the CDS DCL statement DEFINE ROLE. Currently, a CDS role is mapped to each user implicitly. This is why they are also known as
mapping roles.
Access rules defined in a CDS role
CDS entities.
Access rules can define conditions, but also provide free access. Access rules can be inherited from another in a CDS role.
If a CDS role with access rules is defined for a CDS entity, the access conditions are evaluated implicitly each time an object is accessed using
Open SQL or using an
SADL query (unless access control
is disabled using the value #NOT_ALLOWED for the annotation @AccessControl.authorizationCheck. If access control is enabled, only that data is read that meets the access conditions.
Every CDS role is defined in its own separate piece of CDS source code. This CDS source code can only be edited in the
ABAP Development Tools (ADT). When
activated, the CDS role is characterized as a global internal object in ABAP Dictionary. The CDS source code of a CDS role is edited in a different editor from the CDS source code of a
CDS entity (a
CDS view or
CDS table function). The
ADT documentation describes how the different types of source code are created.
Notes
CDS access control provides an additional method for checking authorizations in the
SAP authorization concept. Authorizations in the SAP authorization concept are based on
authorization objects and are granted in the classic role editor
(transaction PFCG). In classic authorization checks, the authorizations
are either checked implicitly (such as when transactions are called) or explicitly using the statement
AUTHORITY-CHECK. CDS access control expands these checks to include implicit evaluations of
access conditions.
It is advisable to continue to use classic authorization checks for start authorizations (used to
check whether a user can start an application in the first place). CDS access control can be used within
an application to perform authorization checks (used to check the authorization of a user as defined by the data model and the data in question).
When CDS entities are accessed using Open SQL, ABAP programs cannot distinguish whether data is not read because it does not exist or because they are not allowed by CDS access control.
Currently, CDS roles can only be defined for CDS views and not for
CDS table functions.
Implicit access control only takes place when a CDS view is accessed directly using Open SQL or using an SADL query.
When CDS views used as data sources in different CDS entities are accessed indirectly, no implicit
access control takes place. This means the methods and CDS roles used to access CDS entities should
be planned carefully when modeling an application. For example, accesses made on CDS entities without associated CDS role can be wrapped in CDS views with associated roles.
ABAP CDS does not currently support
assignment roles, a category of role based on the CDS data model that needs to be assigned to users explicitly by the user administrator.