ABAP - Keyword Documentation →  ABAP - ABAP Release News →  News for ABAP Release 7.5x →  News for ABAP Release 7.56 → 
Mail Feedback

ABAP CDS Access Control in ABAP Release 7.56


1. Graceful Behavior in Access Condition Inheritance for Missing Dictionary Elements

2. Unified Syntax for Authorization Objects, Authorization Fields and SACF Scenario Names

3. Additional Filtering of User-Defined Aspect Usage

4. Condition Replacement for Role-Based Inheritance

5. Generic Element Replacement for Condition Inheritance

6. Enabling/Disabling of Access Conditions Based on the State of SACF

7. Access Conditions for CDS Hierarchies Based on Elements of the Hierarchy Directory

8. Consideration of Special Runtime Modes

9. New DCL Function



Modification 1  

Graceful Behavior in Access Condition Inheritance for Missing Dictionary Elements

From this release on, authors of access controls can mark a subset of the CDS elements used in their access conditions as optional, so that CDS entities which inherit their access conditions are not affected by a Day-1-impact any more.

GRANT SELECT ON cds_entity WITH OPTIONAL ELEMENTS (
     element1 DEFAULT (TRUE|FALSE), ...) WHERE ...

More Information



Modification 2  

Unified Syntax for Authorization Objects, Authorization Fields and SACF Scenario Names

At all locations of access controls, references to authorization objects, authorization fields, and SACF scenario names can be written in identifier syntax when they comply with it and in string syntax with single apostrophes as an alternative.

Before:

( ... ) = ASPECT PFCG_AUTH( S_OBJ IN SCENARIO 'THESCENARIO' )

Now allowed:

( ... ) = ASPECT PFCG_AUTH( S_OBJ IN SCENARIO TheScenario )

More Information



Modification 3  

Additional Filtering of User-Defined Aspect Usage

When using user-defined aspects, these can now denominate an arbitrary set of their elements (path expressions are supported) as filter element. These filter elements can by referenced when using the user-defined aspect in an access condition.

DEFINE ASPECT ... AS SELECT FROM ...
  WITH USER ELEMENT ...
  WITH FILTER ELEMENTS ( element1, element2 AS alias2 )
  {
      ...
  }
WHERE ( ... ) = ASPECT ... FILTER BY ( element1 = 'X' OR
                                       alias2 IS NOT NULL )

More Information



Modification 4  

Condition Replacement for Role-Based Inheritance

The REPLACING section formerly only available to entity-based inheritance

INHERITING CONDITIONS FROM ENTITY cds_entity

is now also available for role-based inheritance

INHERIT role FOR GRANT SELECT ON cds_entity

More Information



Modification 5  

Generic Element Replacement for Condition Inheritance

The REPLACING section of condition inheritance now supports a generic replacement step to replace an arbitrary field or association of the inheritance source with an arbitrary field or association of the inheritance target.

WHERE INHERITING CONDITIONS FROM ENTITY Source REPLACING {
  ELEMENT Element1OfSource WITH Element1OfTarget,
  ELEMENT Assoc1OfSource WITH Assoc1[r = 4].Assoc2OfTarget,
  ELEMENT Assoc2(p : $parameters.p1)[ q = 1].Field WITH MyShortField }

More Information



Modification 6  

Enabling/Disabling of Access Conditions Based on the State of SACF

Respecting settings in the switchable authorization framework (SACF) was already possible for dedicated PFCG conditions:

ASPECT PFCG_AUTH ( S_OBJECT IN SCENARIO ... )

Now, those settings can be used to enable or disable entire condition sets:

GRANT SELECT ON cds_entity
  WHERE
    SACF_CHECK_IN_USE (NAME => NEW_AUTH_SWITCH ) IS INITIAL
      AND
    ( element ) = ASPECT PFCG_AUTH( OLD_AUTH, F )
  OR
    SACF_CHECK_IN_USE( NAME => NEW_AUTH_SWITCH ) IS NOT INITIAL
      AND
    ( element ) = ASPECT PFCG_AUTH( NEW_AUTH, F );

More Information



Modification 7  

Access Conditions for CDS Hierarchies Based on Elements of the Hierarchy Directory

For CDS hierarchies, access control was restricted to the use of conditions not resulting in database filtering. Now elements located in the declared hierarchy directory

DIRECTORY ... FILTER BY

can be used to formulate such conditions.



Modification 8  

Consideration of Special Runtime Modes

When operating the system with the emergency user SAP*, CDS access control is now deactivated.

During processing of an update task, PFCG conditions are now considered as fully authorized.

More Information



Modification 9  

New DCL Function

The following new DCL function is available: OPTIONAL_ELEMENT_EXISTS.