In this blog post we will be seeing how we can use Access Controls in CDS Views or Authorization Objects in CDS Views.

Authorization Objects or Access Controls are used to limit users and provide users only required and needed Information based on there work profile/role.

SAP Access control in ABAP CDS restricts the data returned from a CDS entity view in ABAP CDS.

SAP Access Control provides an additional method for checking authorizations in the SAP authorization concept.

Ref : https://help.sap.com/doc/abapdocu_750_index_htm/7.50/en-US/abencds_authorizations.htm

Scenario : We want to show specific Airline data to user, we will be restricting User with help of Access Control to see only data about specific Airline and not all Airlines.

Step by Step Guide to Create and Use SAP ABAP CDS Access Control

Step 1 Create Access Control

Provide name to Access Control and click on Next

There are various templates available to create Access Control. In this demo we are going to use most common used template “Define Role with PFCG”. This template needs one PFCG Role to be created and that role will be assigned to user.

Select template and click on Finish.

Once click on Finish button, we get the template created.

We have already created Role and Authorization Object in system with name ZSPFLI_AUT with Activity 03 (Display)

Step 2 Create Role and Maintain Authorization Object

Role Created

Authorization Object Created

Step 3 Update AccessControl annotation to #CHECK

To allow CDS View to access Authorization Object or Access Control we need to add below line in our CDS View

@AccessControl.authorizationCheck: #CHECK

Set value of authorizationCheck annotation to #CHECK. If we do not make change to this annotation to #CHECK Access Control will not be trigger

We want to apply Access Control on CDS View Z_C_MDE_SFLIGHT which returns Flight details.

Step 4 Make changes to generated Access Control Template

Now after making changes to generated template we got below Access Control completed, where we are reading data from CDS View Z_C_MDE_SFLIGHT

Step 5 Execute CDS View

We are only getting Singapore Airlines records which are based on our Access Control

If we change @AccessControl.authorizationCheck: #NOT _ALLOWED

Even if Access Control is applied on CDS View, Authorization check will not be triggered.

Again preview data, we are getting all records for all Airlines.

Advantage of using Access control:

1. There is no need to modify any CDS View if we have different cases for access.
2. We can easily use existing Role and Authorization Objects and no need to create new one.
3. Data level restrictions can be applied along with Role based check easily.