ABAP - Keyword Documentation →  ABAP - Dictionary →  ABAP CDS in ABAP Dictionary →  ABAP CDS - Access Control →  ABAP CDS - DCL Statements →  ABAP CDS - DEFINE ROLE →  ABAP CDS - DEFINE ROLE, condition → 

ABAP CDS - DEFINE ROLE, pfcg_condition


... ( [element1 [, element2 ...]] ) =|?=
        ASPECT pfcg_auth
          ( object, [mapped_field1 [, mapped_field2 ...]]
              [, auth_field1 = 'value' [, auth_field2= 'value' ...]] ) ...


PFCG condition as part of an access condition in an access rule of the statement DEFINE ROLE in the CDS DCL. A PFCG condition joins the elements of the CDS entity specified on the left side of the operator = or ?= with the authorizations specified on the right side (and granted using the classic role editor (transaction PFCG)). CDS access control takes this information and the authorizations of the current user and uses it to create fixed logical conditions, which are evaluated each time the object is accessed.

If the operator ?= is used, the evaluation is made in the same way as when using =. The condition is also met, however, if all CDS elements in the left parentheses have the null value or their type-friendly initial value.

The following applies with respect to the hierarchy of the evaluation of a PFCG condition:

When these rules are applied to the access condition actually used by CDS access control, field values from authorizations are compared with content from CDS elements. Here, the field values are mapped to the dictionary types of the CDS elements.



The following abstract examples explain various types of PFCG conditions:

@MappingRole: 'true'
DEFINE ROLE demo_role {
    grant SELECT ON entity  WHERE
      ( element1, element2 ) = ASPECT pfcg_auth
          ( object,
            ACTVT = '02'); }
The current user has two authorizations for the authorization object object:
The access condition added to the CDS entity entity by CDS access control using a logical "and" can appear as follows (when expressed in SQL):
... AND ( ( element1 = 'a' OR element2 = 'b' ) AND
          ( element2 = 'c' OR element2 = 'd' ) OR
          element1 LIKE 'X%' AND
          element2 = 'Y' )
The values of each authorization are joined using AND and the conditions of both authorizations are joined using OR. The wildcard character * is transformed to a LIKE condition. The actual variant in question, however, can have a different appearance.
If ?= instead of = is used in the example above, the access condition is expanded roughly as follows:
          element2 = 'Y' OR
          ( ( element1 IS NULL or element1 = '' ) AND
            ( element2 IS NULL or element2 = '' ) ) )
@MappingRole: true
DEFINE ROLE demo_role {
  (element) = ASPECT pfcg_auth( object,
                                actvt   = '02',
                                actvt   = '03',
                                country = 'DE' );}
@MappingRole: true
DEFINE ROLE demo_role {
  (element) = ASPECT pfcg_auth( object,
                                field = 'X' ); }
@MappingRole: true
DEFINE ROLE demo_role {
    ( ) = ASPECT pfcg_auth( object, ACTVT = '03' ); }
@MappingRole: true
DEFINE ROLE demo_role {
    ( ) = ASPECT pfcg_auth( object ); }


The following CDS role defines an access rule for the CDS view demo_cds_auth_pfcg. A PFCG condition is specified that associates the CDS element carrid with the authorization field CARRID of the authorization object S_CARRID. If specified, actvt='03' restricts the CDS access control check to the associated authorizations of the current user that have the value "3" in ACTVT.

@MappingRole: true
define role demo_cds_role_pfcg {
  grant select on demo_cds_auth_pfcg
  where (carrid) =
  aspect pfcg_auth (s_carrid, carrid, actvt='03'); }

The CDS view is as follows:

@AbapCatalog.sqlViewName: 'DEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_pfcg
  as select from
      key carrid,

The program DEMO_CDS_AUTH_PFCG accesses the view.

ABAP CDS - DEFINE ROLE, Mapping of Field Values