Access Control for CDS Entities

ABAP Core Data Services (CDS) has its own authorization concept based on a data control language (DCL). The authorization concept of ABAP CDS uses conditions defined in CDS and can draw upon classical (PFCG) authorizations to check the authorizations of users.

The CDS authorization concept coexists with the classical authorization concept of SAP NetWeaver Application Server for ABAP (SAP NetWeaver AS for ABAP). You can use the concepts together or independently from another. The classical authorization concept is based on authorization objects. The authorization of a user occurs either implicitly, for example while calling a transaction, or explicitly with the statement AUTHORITY-CHECK. The CDS authorization concept is based on implicit authorization checks that occur during access attempts to CDS entities over service adaptation definition language (SADL) or Open SQL.

Overview of Process and Architecture

The following figure shows the main components for creating DCLs. After you have created the CDS entities you want to protect in DDL, you use a wizard within the Eclipse-based ABAP IDE to create the DCL sources for the authorization objects. In DCL sources you define CDS roles.

A developer defines a CDS role in a separate CDS source code for a CDS entity using the DCL statement DEFINE ROLE. When a CDS entity is accessed using SADL or Open SQL, the following is checked:

Is a role is defined for the CDS entity?

If no role is defined for a CDS entity, there are no restrictions on the data returned by the query.
Does the current user have the required authorizations?

If a role is defined the CDS entity, access control management checks the current user for authorizations and reads only that data for which an authorization exists. CDS roles are assigned to all users implicitly.

When you activate a DCL source, SAP NetWeaver AS for ABAP generates the authorization views and fills the access control management tables with the required metadata. The roles are characterized as global internal objects in the ABAP Dictionary.

Figure 1: Defining a DCL source in the DCL editor

Notes

We recommend that you continue to use the classical authorization concept for start authorizations (used to check whether a user can start an application in the first place). The CDS authorization concept can be used within an application to perform instance-based authorization checks (used to check the authorization of a user as defined by the data model and the data in question).