In S4, there is a Tcode to trace authorization check - stauthtrace

(1) 0 Authorization successful or no check was carried out. An authorization for the authorization object was found in the user master record. Its value sets include the specified values.

(2) 4 Authorization check not successful. One or more authorizations were found for the authorization object in the user master record and they include the value sets, but not the values specified, or incorrect authorization fields or too many fields were specified.

(3) 12 No authorization was found for the authorization object in the user master record.
AGR_USERS: This table stores for a given user, what PFCG roles are assigned to it.
Z_FULL_AUTHORIZATION created by Wade in X3C/504, but AO is not created by him.

Learning

(1) Fast Authorization check

(2) Existing Authorization check is made by executing the Function module CRM_ORDER_ CHECK_AUTHORITY_GEN for each GUID.

(3) a user can be assigned to several organization units in the organizational model).

(4) Fast access: New RF class which selects GUIDs with a fast single access (can be used only by the most common queries)

(5) Classic RF: the GUIDs selection is made with multiple accesses (can be used by all queries)

(6) Each line of the question object corresponding to a field checked by the author-ization process is converted into a range table.

(7) The application Question is modified with the authorized values in classes CL_CRM_ REPORT_ACCRULE_ONEORDER and CL_CRM_REPORT_ACCRULE_ONEORD_I method MAKE_INSTANCE_VALID.

The union of the GUID selected is processed in class CL_CRM_REPORT_QUESTION -> REFRESH:

(1) Creation of a new query where there is operator Union in the question.
(2) For each query，call method gr_accessrule->SELECT to select the GUID
(3) Append the GUID selected to the total list without duplication.

2017-06-13

CDS view only supports read access so the corresponding DCL concept only applies for Advanced search, since CDS view is only used in advanced search currently.
What authorization objects are currently used in advanced search?
An Authorization trace is performed on AG3/001 using tcode: stauthtrace
Start: enter business role SERVICEPRO, End: click Search button and see result in WebUI

None of them belong to Carsten's list?

2017-06-14 Authorization check in One order reporting framework

There are several ACE check:

CRM_ACE_RIG_RT

CRM_ACE_WP_RT

CRM_ACE_OTYPES

CRM_ACE_CUSTOM

CRM_ACE_ACTS

2017-06-15

How CDS DCL works
See one example:

We have three approaches to control authorization for search.
test table in X3C/504:

Solution1 - fetch from DB, then perform authorization check in ABAP ( bad !)

DATA: lt_result TYPE TABLE OF zorder.
SELECT * INTO TABLE @DATA(lt_table) FROM zorder.
LOOP AT lt_table ASSIGNING FIELD-SYMBOL(<order>).
  AUTHORITY-CHECK OBJECT 'ZJER_TYPE' ID 'PR_TYPE' FIELD <order>-order_type.
  IF sy-subrc = 0.
    APPEND <order> TO lt_result.
  ENDIF.
ENDLOOP.

result:

Solution 2 - this is exactly current report framework "fast authorization" concept

REPORT zsolution1.

DEFINE authority_check_fail.
  IF sy-subrc <> 0.
    WRITE:/ 'No authorization'.
    RETURN.
  ENDIF.
END-OF-DEFINITION.

PARAMETERS: user TYPE sy-uname OBLIGATORY DEFAULT sy-uname.
DATA: lt_result TYPE TABLE OF zorder.

DATA: lt_val TYPE  TABLE OF usvalues.
CALL FUNCTION 'SUSR_USER_AUTH_FOR_OBJ_GET'
  EXPORTING
    user_name           = user
    sel_object          = 'ZJER_TYPE'
  TABLES
    values              = lt_val
  EXCEPTIONS
    user_name_not_exist = 1
    not_authorized      = 2
    internal_error      = 3
    OTHERS              = 4.

READ TABLE lt_val ASSIGNING FIELD-SYMBOL(<val>) WITH KEY field = 'ACTVT'.
authority_check_fail.
IF <val>-von <> '03' AND <val>-von <> '*'.
  WRITE:/ 'No authorization'.
  RETURN.
ENDIF.

READ TABLE lt_val ASSIGNING FIELD-SYMBOL(<type>) WITH KEY field = 'PR_TYPE'.
authority_check_fail.
DATA(lv_where) = COND STRING( WHEN <type>-von = '*' THEN space ELSE
| ORDER_TYPE = '{ <type>-von }'| ).
WRITE:/ lv_where.
SELECT * INTO TABLE lt_result FROM zorder WHERE (lv_where).
BREAK-POINT.

Solution 3 - Using CDS DCL

@EndUserText.label: 'Order DCL POC' 
@MappingRole: true 
define role Zjerry_Order_Dcl { 
  grant select on zjerry_order
          where ( order_type) = 
          aspect pfcg_auth( ZJER_TYPE, pr_type, ACTVT = '03' )
              or ( order_type) = aspect pfcg_auth(  ZJER_TYPE, pr_type, ACTVT = '*' );
}

The code is very clean now:
SELECT * INTO TABLE @DATA(lt_data) FROM zjerry_order.
And also works as expected:

From the CDS standard training, it is IMPOSSIBLE from ABAP layer to know, whether there is indeed only 1 entry with type SRVO, or there might be more entries, but filtered out by missing authorization.
When Open SQL is used to access a CDS entity and an access rule is defined in a role for this entity, the access conditions are evaluated implicitly and their selection restricted so that in SELECT reads, the access condition is added to the selection condition of the statement passed from the database interface to the database using a logical "and".
This is ST05 trace:

However there are some trouble here!?

However this is not true :(

And then check the corresponding field in PFCG role from 03 to *:

result is still the same:

Best practice??

Just follow S4 DCL design. Check their package VDM_SD_ANALYTICS.
Two fields in one authorization object is like intersection.
Switch off: @AccessControl.authorizationCheck: #NOT_ALLOWED
If a CDS entity is specified in several access rules of a CDS role or in multiple CDS roles, the resulting access conditions are joined using a logical "or".

2017-06-17

Refer to S4:

Before I create DCL object:

After I create DCL object:

Jerry question: there are also lots of other Authorization object evaluated in the current search:

本文来自云栖社区合作伙伴“汪子熙”，了解相关信息可以关注微信公众号"汪子熙"。