SAP CDS view权限控制实现原理介绍-阿里云开发者社区

开发者社区> jerrywangsap> 正文

SAP CDS view权限控制实现原理介绍

简介: SAP CDS view权限控制实现原理介绍
+关注继续查看

Part1 – how to test odata service generated by CDS view

Part2 – what objects are automatically generated after you activate one CDS view

Part3 – how is view source in Eclipse converted to ABAP view in the backend

Part4 – how does annotation @OData.publish work

Part5 – how to create CDS view which supports navigation in OData service

Part6 – consume table function in CDS view

Part7 – unveil the secret of @ObjectModel.readOnly

Part8 – my summary of different approaches for annotation declaration and generation

Part9 – cube view and query view

Part10 – How does CDS view key user extensibility work in S4/HANA

Part11 – CDS view test double framework

Part12 – CDS view source code count tool

Part13 – this blog

Part14 – CDS view performance analysis using PlanViz in HANA studio


There are already lots of blogs in community talking about CDS authorization concept, here I just blog what is so far not mentioned in those blogs.


For demonstration purpose I create a very simple database table ZORDER with two entries:


image.png


And a CDS view on top of it:

image.png

In SAP help, it is documented that “If a CDS entity is specified in several access rules of a CDS role, the resulting access conditions are joined using a logical OR”.

And I create a simple authorization object ZJER_TYPE2 in tcode SU21 which contains field PR_TYPE for order type and ACTVT field with following settings:

image.png



And then create an Access Control object:

image.png

Create a new PFCG role ZJER_AUTH_TEST3 with ACTVT = 01,02 and PR_TYPE = SRVO:


image.png


I use this combination to ensure that the statement before the OR operator will pass ( aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = ’01’ ) ) while the statement after OR will fail ( aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = ’03’ ).

And then assign this PFCG role to my user:


image.png


This means from semantic perspective that “it is expected that user WANGJER can only have access to order with process type SRVO“.


Now all preparation is ready. Execute this simple SQL:

image.png

SELECT * INTO TABLE @DATA(lt_data) FROM zjerry_order.

1

Only 1 record with type SRVO is returned, working as expected. But why? How does it work?


image.png


Use tcode stauthtrace to perform a trace:


image.png


The trace result shows that the evaluation for first statement before OR is done successfully, and the statement after Or fails. According to SAP help, the whole result is still true( true OR false = true ).


image.png


What magic thing has happened when the OPEN SQL is executed? Why the record with order type OPPT is automatically filtered out?

Perform a SQL trace with tcode ST05, display execution plan via menu below:


image.png


You can find there is a fragment of WHERE statement automatically added. The value for ORDER_TYPE comes from the value of authorization object field PR_TYPE which is mapped to CDS view field ORDER_TYPE in my DCL object.


image.png


This behavior is consistent with what is documented in SAP help:


When Open SQL is used to access a CDS entity and an access rule is defined in a role for this entity, the access conditions are evaluated implicitly and their selection restricted so that in SELECT reads, the access condition is added to the selection condition of the statement passed from the database interface to the database using a logical “and”.


Two DCL objects defined on the same CDS view

Again the SAP help said “If a CDS entity is specified in multiple CDS roles, the resulting access conditions are joined using a logical OR”.


Let’s create a new PFCG role ZJER_AUTH_TEST4 which only grants displayauthorization on order type OPPT.


image.png

Execute the SQL once again under trace mode:

Still one record with type SRVO is returned.


image.png


The corresponding automatically appended where statement: since the PFCF role ZJER_AUTH_TEST4 is NOT assigned to my user WANGJER, so when the open SQL is performed on the view, NO corresponding where statement for order type OPPT defined in that PFCG role is appended.

image.png


版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
SAP Fiori Elements 公开课第一单元概要介绍
SAP Fiori Elements 公开课第一单元概要介绍
9 0
SAP CRM 和 SAP Cloud for Customer 的表格列项目宽度调整的原理介绍
SAP CRM 和 SAP Cloud for Customer 的表格列项目宽度调整的原理介绍
19 0
使用OpenApi弹性释放和设置云服务器ECS释放
云服务器ECS的一个重要特性就是按需创建资源。您可以在业务高峰期按需弹性的自定义规则进行资源创建,在完成业务计算的时候释放资源。本篇将提供几个Tips帮助您更加容易和自动化的完成云服务器的释放和弹性设置。
12076 0
SAP S/4HANA Cloud 系统集成的一些场景介绍
SAP S/4HANA Cloud 系统集成的一些场景介绍
8 0
关于android 1.6全部的权限介绍
原文: 关于android 1.6全部的权限介绍 我们在 AndroidManifest.xml里需要对一些软件需要的操作做一些权限的声明,比如我们的软件有发送短信的功能,那么就需要在 AndroidManifest.
798 0
Jerry在2020 SAP全球技术大会的分享:SAP Spartacus技术介绍的文字版
Jerry在2020 SAP全球技术大会的分享:SAP Spartacus技术介绍的文字版
17 0
SAP UI5 WebIDE里使用Mock数据的工作原理介绍
Created by Wang, Jerry, last modified on Feb 02, 2015
5 0
SAP S/4HANA CDS View的访问控制实现:DCL介绍
SAP S/4HANA CDS View的访问控制实现:DCL介绍
17 0
+关注
2628
文章
0
问答
来源圈子
更多
+ 订阅
文章排行榜
最热
最新
相关电子书
更多
《2021云上架构与运维峰会演讲合集》
立即下载
《零基础CSS入门教程》
立即下载
《零基础HTML入门教程》
立即下载