Reputation: 145
SAP ABAP CDS View / DCL check authorization
I have a CDS view and would like to apply authorization checks.
CDS View ZCDS_VIEW
@AbapCatalog.sqlViewName: 'ZCDS_VIEW'
@VDM.viewType: #BASIC
@AccessControl.authorizationCheck: #CHECK
define view ZCDS_VIEW
as select distinct from vbak
inner join vbap on vbap.vbeln = vbak.vbeln // At least 1 item
[...]
{
key vbak.vbeln,
vbak.ktext,
[...]
}
where
[...].
My concern is that the way to control authorizations requires checks in different tables and not just an authorization check on a field in the CDS view. Indeed, I must:
- Check the authorizations on the profit center of a specific table ZT1
- Make a join of the entries of the ZT1 table with a ZT2 table which gives me the authorized divisions
- Filter the results of my CDS view with the authorized divisions.
To do that I did like this:
Create CDS ZCDS_AUTH_PLANT
@AbapCatalog.sqlViewName: 'ZCDS_AUTH_PLANT'
@VDM.viewType: #BASIC
@AccessControl.authorizationCheck: #CHECK
define view ZCDS_AUTH_PLANT
as select distinct from zt1
inner join zt2 on zt2.bu = zt1.bu
{
zt1.prctr as profit_center,
zt2.bukrs as company_code,
zT2.werks as plant_code
};
Create DCL ZDCL_AUTH_PLANT
@MappingRole: true
define role ZDCL_AUTH_PLANT {
grant
select
on
ZCDS_AUTH_PLANT
where
( profit_center ) = aspect pfcg_auth( XXX, PRCTR );
}
Update CDS ZCDS_VIEW
Addition of the join condition on ZCDSC4_AUTH_PLANT to have authorized divisions.
@AbapCatalog.sqlViewName: 'ZCDS_VIEW'
@VDM.viewType: #BASIC
@AccessControl.authorizationCheck: #CHECK
define view ZCDS_VIEW
as select distinct from vbak
inner join ZCDSC4_AUTH_PLANT on ZCDSC4_AUTH_PLANT.plant_code = vbap.werks // At least 1 item matching division
[...]
{
key vbak.vbeln,
vbak.ktext,
[...]
}
where
[...].
I wanted to know:
- Is this a good practice?
- Do you see a more relevant alternative?
- Should we do everything in the DCL?
Upvotes: 0
Views: 3993
Answers (1)
Reputation: 26
Is this a good practice?
The DCL is the standard way to implement authorization checks for ABAP CDS views, so yes, using it is a good practice.
This is included in the official documentation here Access Control for CDS Entities and here Creating DCL Sources
Do you see a more relevant alternative?
Is using a DCL file not working for your requirements? If it is working, you are already using the correct way to implement auth checks, so no alternative solution is needed
Should we do everything in the DCL?
If everything means the complete authorization checks, then yes. You can also have more complex logic in the DCL of course than only checking for the PCFG object (for instance for GDPR limitations), but it doesn't seem to apply to your scenario
Upvotes: 0
Related Questions
- SAP HANA DB user-role check
- Call BRF+ rule from ABAP CDS view?
- Table to check Transaction Code Authorization
- Authority-check with ACTVT = 01 or 02
- Use dynamic values in CDS access control
- SAP ABAP LDAP Active directory photos
- Connect to another SAP HANA database with CDS
- Can I create a GUID in an ABAP CDS view?
- How to filter data in CDS(powerapps) to restrict unauthorized users
- Selecting from a CDS entity versus from a CDS Database view