Introduction
This Quick Reference is a collection of new CDS Access Control (DCL) functionality made available in ABAP 7.5x releases. This functionality is summarised in a way that will make sense to those familiar with Access Controls. Links to the SAP Help are also provided throughout to allow the reader to dive in deeper if desired. The version the functionality was released is also given to aid in determining if it is available in your system.
| S/4HANA |
1511 |
1610 |
1709 |
1809 |
1909 |
2020 |
2021 |
2022 |
2023 |
| ABAP |
7.50 |
7.51 |
7.52 |
7.53 |
7.54 |
7.55 |
7.56 |
7.57 |
7.58 |
Contents
1. Roles
2. Access Rules
- A. Conditional Rule
- B. Inherited Rule (OBSOLETE)
- C. Projection Rule (7.58)
3. Access Conditions
- A. Literal Condition
- B. PFCG Condition
- C. Aspect Condition
- D. User Condition (7.51)
- E. Inherit Condition
- F. DCL Function
- G. Boolean (7.53)
- H. VOID (7.53)
- I. IF…THEN…ELSE (7.57)
@MappingRole: true
[@role_annot1]
[@role_annot2]
...
[DEFINE] ROLE role_name [SWITCHABLE] { access_rules }
CDS Role (7.50)
Access Controls are expanded to include implicit evaluations of CDS roles. If a CDS entity is associated with a CDS role, an additional access condition is checked by default when the CDS entity is accessed using ABAP SQL. Only that data is read for which the current user has an authorization or that matches a literal condition.
CDS Table Functions (7.52)
CDS roles can now also be defined for CDS table functions.
DCL Restrictions for ABAP CDS Hierarchies (7.54)
ABAP CDS hierarchies can now be protected using access controls
With this addition, the content of the role reacts to status changes in the Switch Framework .
A. ... conditional_rule| grant_rule
[conditional_rule| grant_rule]
...
B. ... inherited_rule [Obsolete]
[conditional_rule| grant_rule]
[conditional_rule| grant_rule]
...
C. ... projection_rule ... [7.58]
GRANT SELECT ON cds_entity
[WITH OPTIONAL ELEMENTS ( element1 DEFAULT { TRUE | FALSE }, ... ) ] [7.56]
[COMBINATION MODE OR | COMBINATION MODE AND | REDEFINITION] [7.54]
WHERE cds_cond;
A conditional access rule GRANT SELECT ON with the addition WHERE restricts access to a CDS entity cds_entity using access conditions cds_cond. See section Access Conditions.
By declaring elements of an access control as optional you specify that these elements may be missing in inheritance targets of the access conditions using those elements.
COMBINATION MODE OR|AND (7.54)
Used to define how the access conditions of multiple access rules for the same CDS entity cds_entity are combined.
COMBINATION MODE OR is used to combine the access conditions using the logical operator or. If created, these access rules make the restrictions less strong.
COMBINATION MODE AND combines the current access rule with the logical operator and and the other access rules. This means the restrictions are made stronger.
REDEFINITION (7.54)
Used to indicate that the specified CDS access rule is the only existing access rule and any other access rules are ignored.
A full access rule GRANT SELECT ON without the addition WHERE provides access to a CDS entity cds_entity without conditions.
GRANT SELECT ON cds_entity_projection
AS PROJECTION ON cds_entity_base
FALLBACK ASSOCIATION fallback_association;
A new type of access rule is available for CDS projection views of type CDS transactional query.
At runtime, the access conditions of the base view are applied to the projection view if certain conditions are met. If it is not possible to apply the access conditions of the base view directly to the projection view, all access conditions are rewritten at runtime to point to the association fallback_association.
A. ... literal_condition
B. | pfcg_condition
C. | aspect_condition
D. | user_condition
E. | inherit_condition
F. | dcl_function
G. | TRUE [7.53]
G. | FALSE [7.53]
H. | VOID [7.54]
I. | if_then_else ...
The result of an access condition is true or false.
... [ALL|EXISTS] {
{ element [BYPASS WHEN bypass_condition] operator [']value['] }...
| { element [BYPASS WHEN bypass_condition] [NOT] BETWEEN [']value1['] AND [']value2['] }
| { element [BYPASS WHEN bypass_condition] [NOT] LIKE 'value' [ESCAPE 'esc'] }
| { element [BYPASS WHEN bypass_condition] IS [NOT] NULL }
| { element [BYPASS WHEN bypass_condition] IS [NOT] INITIAL } } ...
Compares an element of a CDS entity with fixed values.
ALL (7.55)
With new addition ALL, access conditions can express that access shall only be granted when from a set-valued association all values satisfy the condition.
WHERE ALL toItem.State = 'A'
The addition BYPASS WHEN bypass_condition can be used to specify that the element is not used for authorization filtering if it meets the specified condition.
ALL toSetVal.F BYPASS WHEN IS NULL = 'A'
Works Like the = operator, however, condition is also met if the value of the left side is the null value or a type-dependent initial value.
The operators BETWEEN and IS NULL are now available for literal conditions as part of an access condition.
{ element [NOT] LIKE 'value' [ESCAPE 'esc'] }
In a literal condition [NOT] LIKE, the percent sign (%) can be used as a placeholder for any string and the underscore character (_) for any single character. The addition ESCAPE can be used to define a single character escape character 'esc' in quotation marks for the placeholders. The character # is recommended as the escape character esc for the operator LIKE.
IS [NOT] INITIAL (7.55)
In a literal condition, IS [NOT] INITIAL can now be used to check whether the value of the left side matches (does not match) the initial value of the ABAP data type that matches the element.
...[ALL|EXISTS]
([element1 [BYPASS WHEN bypass_condition]
|{ element1[, element2 ...] }
[, element2 [BYPASS WHEN bypass_condition]
|{ element1[, element2 ...] } ...]] )
=|?= ASPECT pfcg_auth
( auth_object [IN SCENARIO scenario_name], [7.54]
[mapped_field1|{ PFCG_MAPPING = pfcg_mapping}[,
mapped_field2|{ PFCG_MAPPING = pfcg_mapping} ...]][,
auth_field1 = 'value'[,
auth_field2 = 'value' ...]] ) ...
ALL (7.55)
With new addition ALL, access conditions can express that access shall only be granted when from a set-valued association all values satisfy the condition.
WHERE ALL toItem.State = 'A'
The addition BYPASS WHEN bypass_condition can be used to specify that the element is not used for authorization filtering if it meets the specified condition.
ALL toSetVal.F BYPASS WHEN IS NULL = 'A'
Used to apply the switchable authorization (transaction SACF) to an authorization object.
... ( ... { element1[, element2 ...] } ... )
=|?= ASPECT pfcg_auth
( ... PFCG_MAPPING = pfcg_mapping ... ) ...
Assigns an element list specified in curly brackets { element1[, element2 ...] } to a PFCG mapping pfcg_mapping in the definition of a PFCG condition.
[DEFINE] PFCG_MAPPING pfcg_mapping(output1[, output2 ..spec])
BETWEEN mapping_entity AND auth_object [IN SCENARIO scenario_name]
{ input1 = auth_field1 [CONSTRAINT ID][,
input2 = auth_field2 [CONSTRAINT ID] ... ] }
Defines a PFCG mapping pfcg_mapping as part of a CDS access policy defined using DEFINE ACCESSPOLICY. The name of the PFCG mapping must match the name of the CDS access policy.
This mapping assigns the CDS elements to the authorization fields of an authorization object.
CONSTRAINT ID (7.54)
Any number of optional assignments can be flagged using the addition CONSTRAINT ID.
... (element1 [, element2, ...] ) = ASPECT aspect
[FILTER BY ( aspect filter )] ...
An aspect condition can now be used to specify the generic aspect defined in an aspect definition in the right side introduced by ASPECT.
Denominates an arbitrary set of elements (path expressions are supported) of an aspect as filter elements. These filter elements can by referenced when using the user-defined aspect in an access condition.
[aspect_annot]
[DEFINE] ASPECT aspect AS SELECT FROM aspect_entity
WITH USER ELEMENT user_element
[WITH FILTER ELEMENTS ( filter_element1 [AS filter_alias1], [7.56]
filter_element2... ) ]
{
output1 [BYPASS WHEN aspect_bypass_condition]
[, ... ]
}
Defines a user-defined aspect aspect as part of a CDS access policy defined using DEFINE ACCESSPOLICY. The name of the user-defined aspect must be the same as the name of the CDS access policy.
[@access_policy_annot]
[DEFINE] ACCESSPOLICY access_policy {
pfcg_mapping_definition | aspect_definition
}
Defines a CDS access policy access_policy in the CDS DCL to be used as a medium for further definitions.
In a user condition, the predefined aspect user is specified on the right side introduced with ASPECT.
DEFINE ROLE ...[ALL|EXISTS] element =|<>|?= ASPECT user ...
@MappingRole: true
define role demo_cds_role_user {
grant select on demo_cds_auth_user
where
uname ?= aspect user; }
The following can now be checked instead of the user name:
- The value of the alias. (7.55)
- The number of the business partner assigned to the user. (7.55)
... { { INHERIT parent_role FOR GRANT SELECT ON cds_entity } [7.53]
| { INHERITING CONDITIONS FROM
{ ENTITY cds_entity [DEFAULT TRUE|FALSE] }
| SUPER } } [7.54]
[ replacing ] ... [7.54]
INHERIT parent_role (7.53)
{ INHERIT parent_role FOR GRANT SELECT ON cds_entity }
Makes old access rule (GRANT SELECT ON cds_entity INHERIT parent_role) obsolete.
@MappingRole: true
define role DEMO_CDS_ROLE_INHERITED_VE {
grant select on DEMO_CDS_AUTH_INHERITED_VE
where
inherit demo_cds_role_lit_pfcg_ve
for grant select on demo_cds_authority_lit_pfcg_ve
or currcode = 'USD'; }
This variant is possible only if the access rule has the addition REDEFINITION and only if the inherited CDS entity has access controls. Instead of this condition, those conditions are used that would have been applied by the access controls disabled by REDEFINITION.
REPLACING (7.56)
... REPLACING { replacement_step [, replacement_step, ...] }
Modifies inherited access conditions from source entity cds_entity before they are applied to the protected entity of their own access rule. It contains a sequence of replacement steps replacement_step which are executed in the order.
WHERE INHERITING CONDITIONS FROM ENTITY Source REPLACING {
ELEMENT Element1OfSource WITH Element1OfTarget,
ELEMENT Assoc1OfSource WITH Assoc1[r = 4].Assoc2OfTarget,
ELEMENT Assoc2(p : $parameters.p1)[ q = 1].Field WITH MyShortField }
Replacing (Role Based) (7.56)
Available for role-based inheritance
... { SACF_CHECK_IN_USE( NAME => scenario_name [, OBJECT => auth_object ] ) [7.56]
IS [NOT] INITIAL }
| { OPTIONAL_ELEMENT_EXISTS( NAME => element ) [7.56]
IS [NOT] INITIAL }
| { SWITCH_RUNTIME_STATE( NAME => switch_name ) [7.58]
IS [NOT] INITIAL }
| { TOGGLE_RUNTIME_STATE( NAME => toggle_name ) [7.58]
IS [NOT] INITIAL }
| { CONTEXT_NODE_EXISTS(...)
IS [NOT] INITIAL } ...
Enabling/Disabling of Access Conditions Based on the State of SACF. This setting can be used to enable or disable entire condition sets.
GRANT SELECT ON cds_entity
WHERE
SACF_CHECK_IN_USE (NAME => NEW_AUTH_SWITCH ) IS INITIAL
AND
( element ) = ASPECT PFCG_AUTH( OLD_AUTH, F )
OR
SACF_CHECK_IN_USE( NAME => NEW_AUTH_SWITCH ) IS NOT INITIAL
AND
( element ) = ASPECT PFCG_AUTH( NEW_AUTH, F );
With this DCL function, existence of the given CDS element in the protected entity can be queried at runtime. Based on the outcome of the check, larger condition blocks in the access control can then be enabled or disabled.
GRANT SELECT ON cds_entity
WITH OPTIONAL ELEMENTS (itemState DEFAULT FALSE )
WHERE
OPTIONAL_ELEMENT_EXISTS( NAME => itemState ) IS INITIAL
AND
toItem.state = 'A'
OR
OPTIONAL_ELEMENT_EXISTS( NAME => itemState ) IS NOT INITIAL
AND
itemState = 'A';
{ SWITCH_RUNTIME_STATE( NAME => switch_name )
IS [NOT] INITIAL }
Retrieves the runtime state of a switch in the Switch Framework (SFW). If state is “on” then IS NOT INITIAL returns TRUE.
Can only be used for switches not of type Feature Toggle.
{ TOGGLE_RUNTIME_STATE( NAME => toggle_name )
IS [NOT] INITIAL }
Behaves like SWITCH_RUNTIME_STATE at runtime. Can only be used for switches of type Feature Toggle.
CONTEXT_NODE_EXISTS
Reserved for use by SAP.
New Boolean predicates TRUE and FALSE can now be used as part of an access condition.
H. VOID (7.53)
Defines that the access condition in question is ignored.
Can now be used as part of an access condition.
GRANT SELECT ON cds_entity
WHERE
IF
(
( $PARAMETERS.P1 = 'NEW' OR $PARAMETERS.P1 = 'MODERN' )
AND
( ) = ASPECT PFCG_AUTH( S_DEMO )
)
THEN
{
A_NEW = 1 AND ( B_NEW ) = ASPECT PFCG_AUTH( S_DEMO, F1 )
}
ELSE
{
A_OLD = 1 AND ( B_OLD ) = ASPECT PFCG_AUTH( S_OLD, F1 )
};
