Show TOC

Creating DCL SourcesLocate this document in the navigation structure

A DCL source allows you to limit the results returned by a CDS entity to those you authorize a user to see.

Prerequisites

  • You have the standard developer authorization profile to create ABAP development objects.

  • You have created the CDS entities for which you want to restrict access.

Context

A DCL source is an ABAP development object, which supports standard ABAP Workbench functions such as transport, syntax check, and activation.

Procedure

  1. In your ABAP project, select the relevant package node in the Project Explorer.
  2. Open the context menu and choose Start of the navigation path New Next navigation step Other ABAP Repository Object Next navigation step Core Data Services Next navigation step DCL Source End of the navigation path.
  3. In addition to the Project and Package, enter the Name and the Description for the DCL source to be created.
    Figure 1: Wizard Page When Creating a DCL Source
  4. Choose Next.
  5. Assign a transport request.
  6. Choose Next.
  7. Determine if you want to use a template for the DCL source.
    Option Description
    Use a template.

    SAP offers example templates for DCL sources. The template provides you with example coding for you to modify.
    Do not use a template. The tool creates an empty DCL source for you to fill.
  8. Choose Finish.

Results

In the selected package, SAP NetWeaver AS for ABAP creates an inactive version of a DCL source and stores it in the ABAP Repository. In the Project Explorer, the new DCL source is added to the Access Control Management Objects folder of the corresponding package node. As a result of this creation procedure, the DCL source editor is opened. Here, you can start defining the role for the CDS entity.

Example

The following role grants access to entries of the SFlight_Entity CDS entity, which meet the following conditions:

  • The ConnID of the entry has the same value as is assigned to the user through the PFCG authorization object S_CONNID in the CONNID field.
  • The CarrID of the entry has the value LH.

The @MappingRole annotation must have the value true, so this role is assigned to all users in the system. The value false is not supported.

@EndUserText.label: 'Show only flights for which the carrier ID is LH'
@MappingRole: true
define role Sflight1 {
    grant select on SFlight_Entity
        where ( ConnID ) = aspect pfcg_auth( S_CONNID, CONNID) AND CarrID ='LH';  
    }
Related Information