You developed a data model with database tables and CDS view entities. To protect the data against unauthorized access, you define an authorization field and an authorization object. Then you create CDS access controls for your CDS view entities.
Prerequisites
For this exercise, you need the CDS view entities which you have created in previous exercises (suggested names were: Z##_R_Department, Z##_R_Employee, Z##_C_DepartmentQuery, and Z##_C_EmployeeQuery, where ## is your group number). If you have not finished those exercises, create copies of the four data definitions from package /LRN/S4D430_EXERCISE, that are ending with _AUT.
Task 1: Define Authorization Object
Define an authorization object to control access to the employee and department data based on the related department (suggested name: Z##DPMENT, where ## is your group number). Define the authorization object with two authorization fields: a new authorization field (suggested name: Z##DPMNT) that is based on your data element for the department ID (suggested name was: Z##_DEPARTMENT_ID), and the standard authorization field ACTVT with the default permitted activities.
Note
If you have not created a data element for the department ID, use the /LRN/DEPARTMENT_ID data element, instead.Steps
Create an authorization field based on the data element for the department ID (suggested name: Z##DEPMENT).
In the Project Explorer, right-click your package to open the context menu and choose New → Other ABAP Repository Object.
In the filter field, enter au and choose Authorization Field from the suggestion list.
Enter Z##DPMNT as Name and Z##_DEPARTMENT_ID as Data Element. Then choose Next.
Confirm the transport request and choose Finish.
Set your database table for department data as check table (suggested name was: Z##DEPMENT) and save the authorization field.
Note
If your authorization field is based on the /LRN/DEPARTMENT_ID data element, you have to use the database table /LRN/DEPMENT_REL.Place the cursor in theCheck Table field, enter Z## and press Ctrl + Space to open a value help.
From the value help, choose Z##DEPMENT.
Press Ctrl + S to save the authorization field.
Create a new authorization object and assign the authorization field to it.
In the definition of the authorization field, scroll down to the What's next? section and choose Create a new Authorization Object and assign the Authorization Field to it.
Enter Z##DPMNT as Name and Authorization per department as Description, then choose Next.
Confirm the transport request and choose Finish.
Confirm that the new authorization object contains the standard authorization field ACTVT and the default permitted activities.
Inspect the Authorization Fields section which should contain your own authorization field and the default authorization field ACTVT.
Inspect the Permitted Activities section which should contain the four default activities.
Save the authorization object.
Press Ctrl + S to save the authorization object.
Task 2: Define Access Controls
Define access controls for your base view entities, that is, the base view entity for department data (suggested name was: Z##_R_Department) and the base view entity for employee data (suggested name was: Z##_R_Employee). Use a template that allows you to control the access based on the authorization object you just created.
Note
Following a general recommendation, name the access controls after the view entity they protect.Steps
Open your base view entity for department data in the Data Preview tool.
Open the definition of the view entity and press F8 to open the Data Preview tool.
For this view entity create a CDS access control that defines a CDS role with a PFCG condition.
In the Project Explorer, locate your CDS data definition Z##_R_DEPARTMENT.
Right-click the data definition to open the context menu and choose New Access Control.
Copy the name from the Protected Entity field to the Name field.
In the Description field, enter Department (Access Control), then choose Next.
Confirm the transport request and choose Next.
From the list of Templates, choose Define Role with PFCG Aspect, and choose Finish.
In the generated code, reference your authorization object.
Adjust the code as follows:
12345678910111213
define role Z##_R_DEPARTMENT
{
grant select on Z##_R_Department
where (entity_element_1, entity_element_2)
= aspect pfcg_auth(
Z##DPMNT,
authorization_field_1,
authorization_field_2,
filter_field_1 = 'filter_value_1'
);
}
Note
We introduced additional line-breaks to increase readability in printed training material.
Replace the first placeholder for authorization fields with the name of your authorization field. Then remove the second placeholder.
Adjust the code as follows:
123456789101112
define role Z##_R_DEPARTMENT
{
grant select on Z##_R_Department
where (entity_element_1, entity_element_2)
= aspect pfcg_auth(
Z##DPMNT,
Z##DPMNT,
filter_field_1 = 'filter_value_1'
);
}
Use the ACTVT authorization field as a filter field and supply it with the filter value for activity Display.
Adjust the code as follows:
123456789101112
define role Z##_R_DEPARTMENT
{
grant select on Z##_R_Department
where (entity_element_1, entity_element_2)
= aspect pfcg_auth(
Z##DPMNT,
Z##DPMNT,
ACTVT = '03'
);
}
Reference a suitable entity element to supply the first authorization field. Then remove the placeholder for a second view element.
Adjust the code as follows:
123456789101112
define role Z##_R_DEPARTMENT
{
grant select on Z##_R_Department
where ( Id )
= aspect pfcg_auth(
Z##DPMNT,
Z##DPMNT,
ACTVT = '03'
);
}
Activate the access control and refresh the display in the Data Preview tool.
Press Ctrl + F3 to activate the development object.
Return to the Data Preview for the protected entity and choose Refresh.
Alternatively, you can press F5 to refresh the displayed data.
To see at least some data, edit the CDS access control again and replace your own authorization object Z##DPMNT with the solution object /LRN/DPMNT and your own authorization field Z##DPMNT with the authorization field /LRN/DPMNT. For this authorization object your user already has some authorizations.
Return to the source code of your CDS access control.
Adjust the code as follows:
123456789101112
define role Z##_R_DEPARTMENT
{
grant select on Z##_R_Department
where ( Id )
= aspect pfcg_auth(
/LRN/DPMNT,
/LRN/DPMNT,
ACTVT = '03'
);
}
Activate the access control and refresh the display in the Data Preview tool.
In the same way, create a CDS access control for your base view entity for employee data.
In the project explorer, locate your CDS data definition Z##_R_EMPLOYEE.
Right-click the data definition to open the context menu and choose New Access Control.
Copy the name from the Protected Entity field to the Name field.
In the Description field, enter Employee (Access Control), then choose Next.
Confirm the transport request and choose Next.
From the list of Templates, choose Define Role with PFCG Aspect, and choose Finish.
Adjust the generated code as follows:
123456789101112
define role Z##_R_EMPLOYEE
{
grant select on Z##_R_Employee
where ( DepartmentId )
= aspect pfcg_auth(
/LRN/DPMNT,
/LRN/DPMNT,
ACTVT = '03'
);
}
Activate the access control.
Press Ctrl + F3 to activate the development object.
Task 3: Define Inheriting Access Controls
Define an access control for the view entity with which you query employee data based on two input parameters (suggested name was: Z##_C_EmployeeQueryP). In the same way, define an access control for your view entity with which you query and employee data per department (suggested name was: Z##_C_DepartmentQuery). In both cases, use a template that allows you to inherit the authorization rules from the underlying view entities.
Note
Following a general recommendation, name the access controls after the view entity they protect.Steps
Open the definition of your CDS view entity that queries employee data based on two input parameters.
Press Ctrl + Shift + A.
Enter the name of the CDS data definition that you want to open, that is Z##_C_EMPLOYEEQUERYP, and choose OK.
For the view entity with parameters, create a CDS access control that defines a CDS role with inherited conditions.
In the Project Explorer, locate your CDS data definition Z##_C_EMPLOYEEQUERYP.
Right-click the data definition to open the context menu and choose New Access Control.
Copy the name from the Protected Entity field to the Name field.
In the Description field, enter Employee Query (Access Control), then choose Next.
Confirm the transport request and choose Next.
From the list of Templates, choose Define Role with Inherited Conditions, and choose Finish.
In the generated code, reference the view entity the protected entity uses as data source, that is, Z##_R_Employee.
Adjust the code as follows:
1234567
define role Z##_C_EMPLOYEEQUERYP {
grant select on Z##_C_EmployeeQueryP
where inheriting conditions
from entity Z##_R_Employee;
}
Activate the access control.
Press Ctrl + F3 to activate the development object.
Open the definition of your CDS view entity that aggregates employee data per department.
Press Ctrl + Shift + A.
Enter the name of the CDS data definition that you want to open, that is Z##_C_DEPARTMENTQUERY, and choose OK.
Define an access control that inherits the access conditions from the primary data source.
In the Project Explorer, locate your CDS data definition Z##_C_DEPARTMENTQUERY.
Right-click the data definition to open the context menu and choose New Access Control.
Copy the name from the Protected Entity field to the Name field.
In the Description field, enter Department Query (Access Control), then choose Next.
Confirm the transport request and choose Next.
From the list of Templates, choose Define Role with Inherited Conditions, and choose Finish.
Adjust the generated code as follows:
1234567
define role Z##_C_DEPARTMENTQUERY {
grant select on Z##_C_DepartmentQuery
where inheriting conditions
from entity Z##_R_Department;
}
Activate the access control.
Press Ctrl + F3 to activate the development object.