Exercise: Defining CDS Restrictions and Roles


After completing this lesson, you will be able to Define CDS Restrictions and Roles.

Define Restrictions and Roles in CDS

Business Example

Before deploying to our productive SAP BTP environment, you want to ensure that only permitted users can access your app to view and edit data. Therefore, you will first add authorizations to your CAP service and then add two mock users to further test your app locally.

Exercise Options

You can perform this exercise in two ways:

  1. Live Environment – using the instructions provided below, you can perform the tasks in the SAP BTP Free Tier account
  2. Platform Simulation – follow the step-by-step instructions within the simulation


We strongly recommend that you first perform the exercise in the live environment.


Make sure that you have successfully completed the previous exercises. Alternatively, you can switch to the solution branch of the last exercise and continue here.


  1. Add CAP Role Restrictions to Entities.

    In this step, you will add authorizations to the Risks service. You will add two different roles RiskManager and RiskViewer with different access scopes.

    1. Open the following file: srv/risk-service.cds.

    2. Replace the file content with the following code snippet to add the restrictions.

      Code Snippet
      Copy code
      Switch to dark mode
      using {riskmanagement as rm} from '../db/schema'; @path: 'service/risk' service RiskService @(requires: 'authenticated-user') { entity Risks @(restrict: [ { grant: 'READ', to : 'RiskViewer' }, { grant: [ 'READ', 'WRITE', 'UPDATE', 'UPSERT', 'DELETE' ], // Allowing CDS events by explicitly mentioning them to : 'RiskManager' } ]) as projection on rm.Risks; annotate Risks with @odata.draft.enabled; entity Mitigations @(restrict: [ { grant: 'READ', to : 'RiskViewer' }, { grant: '*', // Allow everything using wildcard to : 'RiskManager' } ]) as projection on rm.Mitigations; annotate Mitigations with @odata.draft.enabled; // BusinessPartner @readonly entity BusinessPartners as projection on rm.BusinessPartners; }
    3. Save the file.

    With this change, users who are assigned the role RiskViewer can view ("READ") risks and mitigations. Users who are assigned the role RiskManager can view and change risks and mitigations ("*").

  2. Add mock users for Local Testing.


    Since the authorization checks have been added to the CAP model, they apply not only when deployed to the cloud but also for local testing. Therefore, you will need a way to log in to the application locally.

    CAP allows you to add local users for testing as part of the cds configuration. For this, you can use the .cdsrc.json file to add the mock users.


    The .cdsrc.json file can be used to store project configurations, like in the package.json file. Learn more here1.

    1. In the project, go to the file .cdsrc.json and open it for editing.

    2. In the editor, replace its content with the following lines:

      Code Snippet
      Copy code
      Switch to dark mode
      { "[development]": { "auth": { "passport": { "strategy": "mock", "users": { "risk.viewer@tester.sap.com": { "password": "initial", "ID": "riskviewer", "userAttributes": { "email": "risk.viewer@tester.sap.com" }, "roles": ["RiskViewer"] }, "risk.manager@tester.sap.com": { "password": "initial", "ID": "riskmanager", "userAttributes": { "email": "risk.manager@tester.sap.com" }, "roles": ["RiskManager"] } } } } } }
    3. Save the file.

      The file defines two users, riskviewer and riskmanager. Let's take a look at the riskmanager example.

      The user is defined by an ID, which can be any identifier for a user. The user has an email, a password parameter, and a roles parameter.

  3. Try to access the application with the mock user.


    When accessing the Risks or the Mitigations service in the browser, you get a basic authorization pop-up window, asking for your user and password. Note, that you can not log out easily. For this you would have to restart your browser. You can use both users that you defined in the previous step to log in and see how this works.

    1. In the tab with the running application, navigate back to the launchpad.html page.

    2. Choose the Risks tile and in the app and choose Go.

    3. In the pop-up, enter the Usernameriskmanager.

    4. Enter the Passwordinitial.

    5. You can now access the Risks application.

    Platform Simulation

    Choose the Start button (shown in the following figure) to open a simulation of the platform. Then follow the step-by-step instructions to add authorizations and mock users.


You enabled authentication by adding annotations to your service definition. You also added mock users for local testing.

Reference Links: Defining CDS Restrictions and Roles

For your convenience, this section contains the external references of this lesson.

If links are used multiple times in a text, only the first location is mentioned in the following reference table.

Ref#SectionContext text fragmentBrief descriptionLink
1Add Users for Local TestingLearn more hereCAP project configurationhttps://cap.cloud.sap/docs/node.js/cds-env#project-settings
2SummaryYou enable authentication using passport.jsPassport.jshttp://www.passportjs.org/

Log in to track your progress & complete quizzes