Core Data Services (CDS) ABAP

CDS Authorization Check

Terminology for Authorization Checks

CDS Role

The role contains the authorizations. A role is currently still assigned to each ABAP user. See SAP Documentation

Access Rules

Access rules define (WHERE) conditions. They can also inherit from other CDS objects or their access rules.

Access Conditions

Access conditions can be formulated using:

  • Constant values
  • The current user name
  • Values from authorization objects (transaction SU21)
  • Inheritance from other views or roles

Concept

Because all users have all roles, the term can be quite misleading.

  • The system always checks the authorizations defined for the view being used.
    That means: the views that are called from this view do not check their own authorizations.

Except for CDS Queries

  • The roles of the primary source of the query are checked, not the roles of the query itself.
    So the roles of a cube or dimension view.
  • If dimension views are associated with a cube view, their roles are not checked when accessing the cube.
    Only the primary source is checked.

Example Scenario

We have a view that displays the Object Catalog (aka TADIR):

define view entity ZI_ObjectCatalog as select from tadir
{
    key pgmid as Pgmid,
    key object as Object,
    key obj_name as ObjName,
    srcsystem as Srcsystem,
    author as Author,
    devclass as Devclass,
    genflag as Genflag,
    check_date
}

Example: Authorization Roles for the Object Catalog

Display objects created by the current user

@EndUserText.label: 'Own objects'
@MappingRole: true
define role ZI_OBJECTCATALOG_AUTH {
    grant select on
                ZI_OBJECTCATALOG
          where Author = aspect user;
}

Display objects allowed by authorization object S_DEVELOP

@EndUserText.label: 'Authorized Objects'
@MappingRole: true
define role ZI_OBJECTCATALOG_AUTH2 {
    grant select on
                ZI_OBJECTCATALOG
     where (Devclass, Object) = aspect pfcg_auth( S_DEVELOP, 
                                                  objname, 
                                                  devclass, 
                                                  actvt = '03' );                        
}

Annotation @AccessControl.authorizationCheck

The view annotation @AccessControl.authorizationCheck controls whether a role must exist that refers to this CDS view. Possible values are:

  • #CHECK – A syntax warning is issued in the CDS view or in any SELECT on it if no role is defined. This is the default!
  • #NOT_ALLOWED – Syntax error if a role exists.
  • #NOT_REQUIRED – Roles are allowed but not mandatory.
  • #PRIVILEGED_ONLY – Direct access only possible in ABAP SQL with the addition WITH PRIVILEGED ACCESS. Such a view can alternatively be wrapped or used as an association partner.

Authorization Check from an ABAP Perspective

In an ABAP SELECT, the authorization is normally checked.

Using the addition WITH PRIVILEGED ACCESS in a SELECT statement allows bypassing the authorization check.

SELECT 
  FROM zjb_as_tasks WITH PRIVILEGED ACCESS
  FIELDS
    ...