20. December 2022 Data Control Language

ABAP CDS View Entities are the backbone of the new ABAP RESTful Application Programming Model (ABAP RAP).
But ABAP CDS is not only used to define the data model – it also has a built-in Access Control to restrict the returned data.
These CDS Roles are defined with the Data Control Language (DCL) and can be thought of as an additional where clause.

 

CDS View Entity Material Plant

@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: ‚Material Plant‘

define view entity ZI_Plant
as select from marc
inner join t001w on t001w.werks = marc.werks
{

key marc.matnr as Material,
key marc.werks as Plant,
t001w.name1 as PlantName

}

Data without Access Control

MATERIAL           PLANT PLANTNAME
000000000010002000 1000  Cadaxo Office
000000000010002001 1000  Cadaxo Office
000000000010002003 2000  Cadaxo HQ
000000000010002004 2000  Cadaxo HQ

 

CDS Role

Now let’s restrict the access to plant 1000 only. We define a CDS role with refence to our entity and restrict values for Plant.

@EndUserText.label: ‚Office only‘
@MappingRole: true

define role ZAC_PLANT {
grant
  select on ZI_PLANT where Plant = ‚1000‘;

}

Restricted ZI_Plant Data

MATERIAL           PLANT PLANTNAME
000000000010002000 1000  Cadaxo Office
000000000010002001 1000  Cadaxo Office

 

With ABAP release 7.52 there is the addition WITH PRIVILEGED ACCESS to switch off access control for ABAP SQL SELECT statements.
help.sap.com/doc/abapdocu_752_index_htm/7.52/en-US/abennews-752-open_sql.htm

SELECT FROM ZI_Plant WITH PRIVILEGED ACCESS
       FIELDS Material,
              Plant,
              PlantName
       INTO TABLE @DATA(materialplants).

and again all the data \o/

MATERIAL           PLANT PLANTNAME
000000000010002000 1000  Cadaxo Office
000000000010002001 1000  Cadaxo Office
000000000010002002 2000  Cadaxo HQ
000000000010002004 2000  Cadaxo HQ

 

Pitfalls

ABAP SQL ONLY

The access control is only used for ABAP SQL (Open SQL) SELECTS.
If used in CDS Entities as JOIN or ASSOCIATION all data is returned!

@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: ‚Material‘

define view entity ZI_MATERIAL
as select from mara
inner join ZI_Plant on ZI_Plant.Material = mara.matnr
association [0..*] to ZI_Plant as _Plant on _Plant.Material = $projection.Material

{

key mara.matnr as Material,
mara.mtart as MaterialType,
ZI_Plant.Plant,
_Plant[ Plant = $projection.Plant ].PlantName,
_Plant

}

 

MATERIAL           MATERIALTYPE PLANT PLANTNAME
000000000010002000 ZCON         1000  Cadaxo Office
000000000010002001 ZCON         1000  Cadaxo Office
000000000010002003 ZCON         2000  Cadaxo HQ
000000000010002004 ZCON         2000  Cadaxo HQ

 

WITH PRIVILEGED ACCESS

is only applied to the main entity, it is not propagated to entities exposed via associations!

SELECT FROM zi_material WITH PRIVILEGED ACCESS
       FIELDS zi_material~Material,
              zi_material~MaterialType,
              \_PlantPlant,
              \_PlantPlantName
       INTO TABLE @DATA(materials).

 

MATERIAL           MATERIALTYPE PLANT PLANTNAME
000000000010002000 ZCON         1000  Cadaxo Office
000000000010002001 ZCON         1000  Cadaxo Office
000000000010002003 ZCON
000000000010002004 ZCON         

To get all data you need to execute an ABAP SQL SELECT – either as JOIN or separate SELECT.

SELECT FROM zi_material
       INNER JOIN zi_plant WITH PRIVILEGED ACCESS ON zi_plant~Material = zi_material~Material
       FIELDS zi_material~Material,
              zi_material~MaterialType,
              zi_plant~Plant,
              zi_plant~PlantName
       INTO TABLE @DATA(materials).

 

Domi Bigl

cadaxo GmbH