AS ABAP Release 758, ©Copyright 2024 SAP SE. All rights reserved.
ABAP - Keyword Documentation → ABAP - ABAP Release News → News for ABAP Release 7.5x → News for ABAP Release 7.56 →
Mail Feedback
ABAP CDS Access Control in ABAP Release 7.56
1. Graceful Behavior in Access Condition Inheritance for Missing Dictionary Elements
2. Unified Syntax for Authorization Objects, Authorization Fields and SACF Scenario Names
3. Additional Filtering of User-Defined Aspect Usage
4. Condition Replacement for Role-Based Inheritance
5. Generic Element Replacement for Condition Inheritance
6. Enabling/Disabling of Access Conditions Based on the State of SACF
7. Access Conditions for CDS Hierarchies Based on Elements of the Hierarchy Directory
8. Consideration of Special Runtime Modes
9. New DCL Function
Graceful Behavior in Access Condition Inheritance for Missing Dictionary Elements
From this release on, authors of access controls can mark a subset of the CDS elements used in their access conditions as optional, so that CDS entities which inherit their access conditions are not affected by a Day-1-impact any more.
-
GRANT SELECT ON cds_entity WITH OPTIONAL ELEMENTS (
element1 DEFAULT (TRUE|FALSE), ...) WHERE ...
Unified Syntax for Authorization Objects, Authorization Fields and SACF Scenario Names
At all locations of access controls, references to authorization objects, authorization fields, and SACF scenario names can be written in identifier syntax when they comply with it and in string syntax with single apostrophes as an alternative.
Before:
- ( ... ) = ASPECT PFCG_AUTH( S_OBJ IN SCENARIO 'THESCENARIO' )
Now allowed:
- ( ... ) = ASPECT PFCG_AUTH( S_OBJ IN SCENARIO TheScenario )
Additional Filtering of User-Defined Aspect Usage
When using user-defined aspects, these can now denominate an arbitrary set of their elements (path expressions are supported) as filter element. These filter elements can by referenced when using the user-defined aspect in an access condition.
-
DEFINE ASPECT ... AS SELECT FROM ...
WITH USER ELEMENT ...
WITH FILTER ELEMENTS ( element1, element2 AS alias2 )
{
...
}
WHERE ( ... ) = ASPECT ... FILTER BY ( element1 = 'X' OR
alias2 IS NOT NULL )
Condition Replacement for Role-Based Inheritance
The REPLACING section formerly only available to entity-based inheritance
- INHERITING CONDITIONS FROM ENTITY cds_entity
is now also available for role-based inheritance
- INHERIT role FOR GRANT SELECT ON cds_entity
Generic Element Replacement for Condition Inheritance
The REPLACING section of condition inheritance now supports a generic replacement step to replace an arbitrary field or association of the inheritance source with an arbitrary field or association of the inheritance target.
-
WHERE INHERITING CONDITIONS FROM ENTITY Source REPLACING {
ELEMENT Element1OfSource WITH Element1OfTarget,
ELEMENT Assoc1OfSource WITH Assoc1[r = 4].Assoc2OfTarget,
ELEMENT Assoc2(p : $parameters.p1)[ q = 1].Field WITH MyShortField }
Enabling/Disabling of Access Conditions Based on the State of SACF
Respecting settings in the switchable authorization framework (SACF) was already possible for dedicated PFCG conditions:
- ASPECT PFCG_AUTH ( S_OBJECT IN SCENARIO ... )
Now, those settings can be used to enable or disable entire condition sets:
-
GRANT SELECT ON cds_entity
WHERE
SACF_CHECK_IN_USE (NAME => NEW_AUTH_SWITCH ) IS INITIAL
AND
( element ) = ASPECT PFCG_AUTH( OLD_AUTH, F )
OR
SACF_CHECK_IN_USE( NAME => NEW_AUTH_SWITCH ) IS NOT INITIAL
AND
( element ) = ASPECT PFCG_AUTH( NEW_AUTH, F );
Access Conditions for CDS Hierarchies Based on Elements of the Hierarchy Directory
For CDS hierarchies, access control was restricted to the use of conditions not resulting in database filtering. Now elements located in the declared hierarchy directory
can be used to formulate such conditions.
Consideration of Special Runtime Modes
When operating the system with the emergency user SAP*, CDS access control is now deactivated.
During processing of an update task, PFCG conditions are now considered as fully authorized.
New DCL Function
The following new DCL function is available: OPTIONAL_ELEMENT_EXISTS.