PFCG condition as part of an access condition in an
access rule of the statement DEFINE ROLE in the
CDS DCL. A PFCG condition joins
the elements of the CDS entity specified on the left side of the operator = or ?= with the
authorizations specified on the right side (and granted using the classic role editor
(transaction PFCG)). CDS access control takes this information and the
authorizations of the current user and uses it to create fixed logical conditions, which are evaluated each time the object is accessed.
The left side is a parenthesized comma-separated list consisting of multiple CDS elements of a CDS
entity (or one element or no elements) for which the access condition is defined. An element element
can be specified directly or by using a path expression path_expr and must have one of the valid
data types.
The predefined aspectpfcg_auth must be specified on the right side introduced using ASPECT. This aspect is used to associate the CDS elements with the
authorizations of the current user for an
authorization object in the
authorization concept. This association is made in a parenthesized comma-separated list:
The name of an existing authorization object is defined using object.
mapped_field1, mapped_field2 are used to specify the names of the
authorization fields
of the authorization object to map them to the CDS elements on the left side in the specified order.
The number of CDS elements must match the number of authorization fields. It is possible to map the
same authorization field to multiple CDS elements, but it is not possible to specify multiple authorization fields for a single CDS element. By default, CDS access control evaluates all
authorizations of the
current user for the specified CDS elements in accordance with this mapping. Only those rows are selected for which an authorization exists.
Further optional authorization fields auth_field1, auth_field2
of the authorization object can be specified to which literal values can be mapped using =. In this case, the evaluation only respects those
authorizations of the
current user in which all values specified in this way exist. Here, the same authorization field can be specified more than once with different values.
If the parentheses on the left side are empty, which means that no element from the CDS entity is
specified, no authorization field mapped_field can be specified after
object. If further optional authorization fields auth_field1,
auth_field1, ... are specified, the same applies as before. CDS access control evaluates all
authorizations (or those
authorizations specified using auth_field1, auth_field1,
...) of the current user for the authorization object. If at least one authorization exists, this applies
to the entire CDS entity and CDS access control does not apply any additional selection conditions. If there are no authorizations, no data is read.
If the operator ?= is used, the evaluation is made in the same way as when using =. The condition is also met, however, if all CDS elements in the left parentheses have the
null value or their type-friendly initial value.
The following applies with respect to the hierarchy of the evaluation of a PFCG condition:
If multiple authorizations are evaluated, the resulting conditions are joined using a logical "or".
In the conditions of each authorization used, the values for the authorization fields in question are joined using a logical "and".
If there are multiple values for an authorization field, they are joined using a logical "or".
When these rules are applied to the access condition actually used by CDS access control, field values from
authorizations are compared with content from CDS elements. Here, the field values are
mapped to the dictionary types of the CDS elements.
Notes
The access conditions that result from the rules above are internal objects from CDS control. In Open SQL reads, the additional conditions can be viewed in the
SQL Trace tools (transaction
ST05). This implementation can be made using WHERE conditions or joins in authorization views and can change between releases.
It is advisable to specify an element of the CDS entity directly and to only use path expressions in exceptional cases.
The operator ?= is applied to all CDS elements in the left parentheses. It cannot be restricted to individual elements.
Examples
The following abstract examples explain various types of PFCG conditions:
The following example is a typical case. Multiple elements, element1,
element2, are mapped to different authorization fields, field1, field2, of an authorization object object. Those
authorizations of the current user are evaluated in which a particular activity is allowed.
@MappingRole: 'true' DEFINE ROLE demo_role { grant SELECT ON entity WHERE
( element1, element2 ) = ASPECT pfcg_auth ( object,
field1, field2,
ACTVT = '02'); }
The current user has two authorizations for the authorization object object:
An authorization with the values "a", "b" for the authorization field field1 and the values "c", "d" for the authorization field field2
An authorization with the value "X*" for the authorization field
field1 and the value "Y" for the authorization field field2
The access condition added to the CDS entity entity by CDS access control using a logical "and" can appear as follows (when expressed in SQL):
... AND ( ( element1 = 'a' OR element2 = 'b' ) AND ( element2 = 'c' OR element2 = 'd' ) OR
element1 LIKE 'X%' AND element2 = 'Y' )
The values of each authorization are joined using AND and the conditions of both authorizations are joined using OR. The wildcard character * is
transformed to a LIKE condition. The actual variant in question, however, can have a different appearance.
If ?= instead of = is used in the example above, the access condition is expanded roughly as follows: ... element2 = 'Y' OR
( ( element1 IS NULL or element1 = '' ) AND
( element2 IS NULL or element2 = '' ) ) )
The following example illustrates how the evaluated authorizations are restricted using further authorization fields. Only those
authorizations of the
current user are used that contain both the activities "02" and "03", plus the authorization field
country with the value "DE". Only those rows are read for which the CDS element element
matches the authorization field field of these authorizations.
@MappingRole: true DEFINE ROLE demo_role { GRANT SELECT ON entity WHERE
(element) = ASPECT pfcg_auth( object,
field,
actvt = '02',
actvt = '03',
country = 'DE' );}
In the following example, the same authorization field field is used
for the items mapped_field and auth_field.
If the current user has an authorization with the values "X", "Y", and "Z" for this authorization field,
this authorization is used by specifying field = 'X'. CDS then uses all three permitted values "X", "Y", and "Z" when the CDS entity is accessed.
@MappingRole: true DEFINE ROLE demo_role { GRANT SELECT ON entity WHERE
(element) = ASPECT pfcg_auth( object,
field,
field = 'X' ); }
No CDS element is specified in the following example. CDS access control prevents data from being
read in full if the current user does not have at least an authorization for the authorization object object with the activity "03".
@MappingRole: true DEFINE ROLE demo_role { GRANT SELECT ON entity WHERE ( ) = ASPECT pfcg_auth( object, ACTVT = '03' ); }
No CDS element or authorization field is specified in the following example. Here, the only requirement
is that the current user has at least one authorization (any authorization) for the authorization object object (with any values).
@MappingRole: true DEFINE ROLE demo_role { GRANT SELECT ON entity WHERE ( ) = ASPECT pfcg_auth( object ); }
Example
The following CDS role defines an access rule for the CDS view demo_cds_auth_pfcg.
A PFCG condition is specified that associates the CDS element carrid with
the authorization field CARRID of the authorization object S_CARRID. If specified, actvt='03'
restricts the CDS access control check to the associated authorizations of the current user that have the value "3" in ACTVT.
@MappingRole: true define role demo_cds_role_pfcg { grant select on demo_cds_auth_pfcg
where (carrid) = aspect pfcg_auth (s_carrid, carrid, actvt='03'); }
The CDS view is as follows:
@AbapCatalog.sqlViewName: 'DEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_pfcg
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};
The program DEMO_CDS_AUTH_PFCG accesses the view.
There is no implicit authorization check when the CDS database view is accessed. Instead, the rows
without authorization are removed from the results later using the statement AUTHORITY-CHECK.
When the CDS is accessed, the SELECT statement only reads the data for which the current user has authorization.