SAP CDS view权限控制实现原理介绍
Part1 – how to test odata service generated by CDS view Part2 – what objects are automatically generated after you activate one CDS view Part3 – how is view source in Eclipse converted to ABAP view in the backend Part4 – how does annotation @OData.publish work Part5 – how to create CDS view which supports navigation in OData service Part6 – consume table function in CDS view Part7 – unveil the secret of @ObjectModel.readOnly Part8 – my summary of different approaches for annotation declaration and generation Part9 – cube view and query view Part10 – How does CDS view key user extensibility work in S4/HANA Part11 – CDS view test double framework Part12 – CDS view source code count tool Part13 – this blog Part14 – CDS view performance analysis using PlanViz in HANA studio
There are already lots of blogs in community talking about CDS authorization concept, here I just blog what is so far not mentioned in those blogs.
For demonstration purpose I create a very simple database table ZORDER with two entries:
And a CDS view on top of it:
@AbapCatalog.sqlViewName: 'zvorder'
@AbapCatalog.compiler.compareFilter: true
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Order for authorization POC'
define view zjerry_order as select from zorder {
key order_id,
order_text,
order_type,
post_date
}
In SAP help, it is documented that “If a CDS entity is specified in several access rules of a CDS role, the resulting access conditions are joined using a logical OR”. And I create a simple authorization object ZJER_TYPE2 in tcode SU21 which contains field PR_TYPE for order type and ACTVT field with following settings:
And then create an Access Control object:
@EndUserText.label: 'Order DCL POC'
@MappingRole: true
define role Zjerry_Order_Dcl {
grant select on zjerry_order
where ( order_type) =
aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = '01' )
or ( order_type) =
aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = '03' );
}
Create a new PFCG role ZJER_AUTH_TEST3 with ACTVT = 01,02 and PR_TYPE = SRVO:
I use this combination to ensure that the statement before the OR operator will pass ( aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = ’01’ ) ) while the statement after OR will fail ( aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = ’03’ ). And then assign this PFCG role to my user:
This means from semantic perspective that “it is expected that user WANGJER can only have access to order with process type SRVO“.
Now all preparation is ready. Execute this simple SQL:
SELECT * INTO TABLE @DATA(lt_data) FROM zjerry_order.
Only 1 record with type SRVO is returned, working as expected. But why? How does it work?
Use tcode stauthtrace to perform a trace:
The trace result shows that the evaluation for first statement before OR is done successfully, and the statement after Or fails. According to SAP help, the whole result is still true( true OR false = true ).
What magic thing has happened when the OPEN SQL is executed? Why the record with order type OPPT is automatically filtered out? Perform a SQL trace with tcode ST05, display execution plan via menu below:
You can find there is a fragment of WHERE statement automatically added. The value for ORDER_TYPE comes from the value of authorization object field PR_TYPE which is mapped to CDS view field ORDER_TYPE in my DCL object.
This behavior is consistent with what is documented in SAP help:
When Open SQL is used to access a CDS entity and an access rule is defined in a role for this entity, the access conditions are evaluated implicitly and their selection restricted so that in SELECT reads, the access condition is added to the selection condition of the statement passed from the database interface to the database using a logical “and”.
Two DCL objects defined on the same CDS view
Again the SAP help said “If a CDS entity is specified in multiple CDS roles, the resulting access conditions are joined using a logical OR”.
Let’s create a new PFCG role ZJER_AUTH_TEST4 which only grants displayauthorization on order type OPPT.
@EndUserText.label: 'display authorization on OPPT'
@MappingRole: true
define role Zjerry_Order_Dcl2 {
grant select on zjerry_order
where ( order_type) =
aspect pfcg_auth( ZJER_TYPE2, pr_type, ACTVT = '03');
}
Execute the SQL once again under trace mode: Still one record with type SRVO is returned.
The corresponding automatically appended where statement: since the PFCF role ZJER_AUTH_TEST4 is NOT assigned to my user WANGJER, so when the open SQL is performed on the view, NO corresponding where statement for order type OPPT defined in that PFCG role is appended.
- silverlight向服务器post数据类
- WCF技术剖析之十三:序列化过程中的已知类型(Known Type)
- 44 Amazing Silverlight 2.0 Screencasts
- CaseStudy(showcase)类库篇-用agTweener来实现动画效果
- CaseStudy(showcase)数据篇-Loading的制作
- CaseStudy(showcase)数据篇-加载图片
- CaseStudy(showcase)数据篇-从XML中获取数据
- CaseStudy(showcase)布局篇-全屏效果
- 构建ASP.NET MVC4+EF5+EasyUI+Unity2.x注入的后台管理系统(12)-系统日志和异常的处理②
- 构建ASP.NET MVC4+EF5+EasyUI+Unity2.x注入的后台管理系统(14)-EasyUI缺陷修复与扩展
- 构建ASP.NET MVC4+EF5+EasyUI+Unity2.x注入的后台管理系统(10)-系统菜单栏[附源码]
- 构建ASP.NET MVC4+EF5+EasyUI+Unity2.x注入的后台管理系统(8)-MVC与EasyUI DataGrid 分页
- ASP.NET MVC5+EF6+EasyUI 后台管理系统(5)-EF增删改查
- 构建ASP.NET MVC4+EF5+EasyUI+Unity2.x注入的后台管理系统(15)-权限管理系统准备
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法
- 远程过程调用 Java RMI 技术 远程控制
- Real-time Xenomai 3 example 1
- Electron 常见问题收录II
- SQL性能调优技巧
- Linux查看CUDA版本以及cudnn版本号
- 数据结构算法操作试题(C++/Python)——最长有效括号
- 数据结构算法操作试题(C++/Python)——两两交换链表中的节点
- 数据结构算法操作试题(C++/Python)——最大子序和
- 数据结构算法操作试题(C++/Python)——四数之和
- 数据结构算法操作试题(C++/Python)——在排序数组中查找元素的第一个和最后一个位置
- 数据结构算法操作试题(C++/Python)——搜索旋转排序数组
- 数据结构算法操作试题(C++/Python)——最后一个单词的长度
- IDEA 自动生成类注释和方法注释
- 包管理工具yarn的安装和使用详细介绍
- redis学习(九)