天天看點

SAP CDS view權限控制實作原理介紹

Part1 – how to test odata service generated by CDS view

Part2 – what objects are automatically generated after you activate one CDS view

Part3 – how is view source in Eclipse converted to ABAP view in the backend

Part4 – how does annotation @OData.publish work

Part5 – how to create CDS view which supports navigation in OData service

Part6 – consume table function in CDS view

Part7 – unveil the secret of @ObjectModel.readOnly

Part8 – my summary of different approaches for annotation declaration and generation

Part9 – cube view and query view

Part10 – How does CDS view key user extensibility work in S4/HANA

Part11 – CDS view test double framework

Part12 – CDS view source code count tool

Part13 – this blog

Part14 – CDS view performance analysis using PlanViz in HANA studio

There are already lots of blogs in community talking about CDS authorization concept, here I just blog what is so far not mentioned in those blogs.

For demonstration purpose I create a very simple database table ZORDER with two entries:

SAP CDS view權限控制實作原理介紹

And a CDS view on top of it:

SAP CDS view權限控制實作原理介紹

In SAP help, it is documented that “If a CDS entity is specified in several access rules of a CDS role, the resulting access conditions are joined using a logical OR”.

And I create a simple authorization object ZJER_TYPE2 in tcode SU21 which contains field PR_TYPE for order type and ACTVT field with following settings:

SAP CDS view權限控制實作原理介紹

And then create an Access Control object:

SAP CDS view權限控制實作原理介紹

Create a new PFCG role ZJER_AUTH_TEST3 with ACTVT = 01,02 and PR_TYPE = SRVO:

SAP CDS view權限控制實作原理介紹

I use this combination to ensure that the statement before the OR operator will pass ( aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = ’01’ ) ) while the statement after OR will fail ( aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = ’03’ ).

And then assign this PFCG role to my user:

SAP CDS view權限控制實作原理介紹

This means from semantic perspective that “it is expected that user WANGJER can only have access to order with process type SRVO“.

Now all preparation is ready. Execute this simple SQL:

SAP CDS view權限控制實作原理介紹

SELECT * INTO TABLE @DATA(lt_data) FROM zjerry_order.

1

Only 1 record with type SRVO is returned, working as expected. But why? How does it work?

SAP CDS view權限控制實作原理介紹

Use tcode stauthtrace to perform a trace:

SAP CDS view權限控制實作原理介紹

The trace result shows that the evaluation for first statement before OR is done successfully, and the statement after Or fails. According to SAP help, the whole result is still true( true OR false = true ).

SAP CDS view權限控制實作原理介紹

What magic thing has happened when the OPEN SQL is executed? Why the record with order type OPPT is automatically filtered out?

Perform a SQL trace with tcode ST05, display execution plan via menu below:

SAP CDS view權限控制實作原理介紹

You can find there is a fragment of WHERE statement automatically added. The value for ORDER_TYPE comes from the value of authorization object field PR_TYPE which is mapped to CDS view field ORDER_TYPE in my DCL object.

SAP CDS view權限控制實作原理介紹

This behavior is consistent with what is documented in SAP help:

When Open SQL is used to access a CDS entity and an access rule is defined in a role for this entity, the access conditions are evaluated implicitly and their selection restricted so that in SELECT reads, the access condition is added to the selection condition of the statement passed from the database interface to the database using a logical “and”.

Two DCL objects defined on the same CDS view

Again the SAP help said “If a CDS entity is specified in multiple CDS roles, the resulting access conditions are joined using a logical OR”.

Let’s create a new PFCG role ZJER_AUTH_TEST4 which only grants displayauthorization on order type OPPT.

SAP CDS view權限控制實作原理介紹

Execute the SQL once again under trace mode:

Still one record with type SRVO is returned.

SAP CDS view權限控制實作原理介紹

The corresponding automatically appended where statement: since the PFCF role ZJER_AUTH_TEST4 is NOT assigned to my user WANGJER, so when the open SQL is performed on the view, NO corresponding where statement for order type OPPT defined in that PFCG role is appended.

SAP CDS view權限控制實作原理介紹