Authorization Check in ABAP CDS View


Dear SAPLearners, in this blog post we will learn about Access control or Authorization checks in CDS view. Before going into the technical details. Lets look at the concepts involved and their meaning.

We all know how authorization works in ABAP, most of the authorization checks are implemented in ABAP using ABAP statement AUTHORITY-CHECK which depends upon the PFCG role assigned to the user.

So, to provide authorization checks in ABAP CDS view a new repository object called Data Control Language (“DCL”) introduced.

Data Control Language (“DCL”)

Data Control Language(DCL) is a language used to define the authorization for the ABAP CDS view which controls access to the data retrieved based on user.

DCL definition is created in DCL editor in eclipse ABAP Development Tool(ADT) using the keyword DEFINE ROLE …

Also Read: How to create DCL source for CDS view

How it works?

DCL source definition defines a CDS role using key work DEFINE ROLE. It contains the syntax to grant data selection from one or more CDS using key word GRANT SELECT ON and have access condition for the CDS view using keyword WHERE.

Autorization Checks in CDS View 1
Image Courtesy from SAP

Lets see a sample DCL syntax

@EndUserText.label: 'Demo: Authorization Check' 
@MappingRole: true 
define role Zflight_Role_A 
            on Zflight_ACCESS_CONTROL_A 
            where carrid<> 'AZ';            

In the above DCL syntax

  • ZFLIGHT_ROLE_A is the role name

Lets look at the ZFLIGHT_ACCESS_CONTROL_A CDS view definition below, it retrieves all data records from SPFLI table.

@AbapCatalog.sqlViewName: 'ZAC_A'
@AbapCatalog.compiler.compareFilter: true
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Access Control B'
define view Zflight_ACCESS_CONTROL_A
as select from spfli

Now that we applied authorization check using DCL: the data preview of CDS view retrieves all data records except CARRID <> ‘AZ’. The database interface will automatically filter the selection results according to the access condition.

Data Preview before:

Authorization Check in ABAP CDS view 2

Data Preview after:

Authorization Check in ABAP CDS view 3

Now, we know that a DCL repository object is used to control data access in CDS view.

Authorization-related Annotations

Lets look what are authorizations related annotations which have to be declared in both CDS DDL source definition and DCL source definition.

Annotations in DCL

  • @EndUserText.label:
    • The translatable short text for role
  • @MappingRole:
    • Value true: Role is implicitly to all users

Annotations in DDL

  • @AccessControl.authorizationCheck:
    • #CHECK: Perform authorization check, Syntax warming if no role is assigned
    • #NOT_REQUIRED: Similar to #CHECK but suppress syntax warning
    • #NOT_ALLOWED: No authorization check. Syntax warning if role is assigned.

Congrats!! you have successfully learned how to perform authorization check in ABAP CDS view using Data Control Language (“DCL”).

Please feel free to comment and let us know your feedback. Subscribe for more updates

If you liked it, please share it! Thanks!