Using Access Control(DCL) in CDS View
The post describes how to create and use a Access Control(DCL) in the CDS views(DDL).
Below we have a simple CDS view on the SCARR table. Execute to see the data preview.
So here it displays all the data. So the CDS view works fine.
Now the next step is to create the Access Control or the DCL view but before that let’s check what authorization object we can use for this.
Go to Tx- SU21 to check the authorization objects. For FLIGHT demo SAP already provides few authorization object that we can make use of in our demo. Lets search for the Auth object- S_CARRID
Here it is under the Auth Class– BC_C . Double click on the auth object- S_CARRID
Here is the details. Select the button Permitted Values to check what all authorization are available.
Here we have all the auth available, but we will use the Display auth value ’03’
For the demo purpose i have created one more Auth Class- ZTST and auth object- ZCARRID
Here only display auth is checked.
So in the demo we have two auth objects- S_CARRID belongs to BC_C class and ZCARRID belongs to ZTST class out of which only S_CARRID auth object is assigned to the user but not ZCARRID.
We can check the assigned auth object to the user simply by executing Tx- SU56.
Tx- Su56 . Here current user have S_CARRID auth is assigned but not the ZCARRID auth object.
Go back to the HANA studio ABAP perspective and create a new DCL source.
Provide name and description and select NEXT.
Here we have the DCL template, now we can do some changes here.
Provide a meaningful label.
Provide role name as- ZSCARR_ROLE
select on – the CDS view name as – ZDEMO_SCARR_CDS
We can mention the auth object as – S_CARRID filed names as CARRID & actvt with value as ’03’- Display. Save and activate it.
A more clear snapshot.
So in DCL, the CDS view name is assigned against the auth object name. Now execute the cds view.
Here no problem, the auth object S_CARRID is assigned to the user and hence we have the output.
Lets change the DCL, instead of auth object S_CARRID, assign auth object ZCARRID which is not assigned to the user. Save and activate the DCL .
Execute the cds view.
We don’t have any data on the preview. 🙂
Though we have a dcl with auth object is associated with the CDS view, we can suppress that by the semantic rule.
Change the authorizationcheck – Not Allowed . Activate the cds view and execute.
So here we have all the data.
Let’s try it out how the auth check fails by the trace.
Execute Tx- ST01 and choose Auth Check and select the radio button- Error. Finally select Trance On.
Trace switch is on now.
The DCL having auth objetc as – ZCARRID which is not assigned to the user.
Make the authorizationCheck as – #check . Activate and execute.
No data on the preview – perfectly fine.
Make trace off.
Select Analysis button.
Select Auth check and error from the right side – Trace record section and F8.
Now the trace clearly says – The auth check for the auth object- ZCARRID against the entity- ZDEMO_SCARR_CDS with actvt- 03 have a return code- RC12 ( Failed – user does not have the authorization)