In SAP S/4HANA and ABAP systems, CDS (Core Data Services) views serve as powerful tools for modeling data directly on the database level, providing a seamless and optimized way to access data. However, to ensure secure data access, it’s essential to implement authorization checks, particularly when sensitive business data is exposed through these views.
This guide explains a practical business scenario where authorization checks are needed on a CDS view and provides a step-by-step solution for enabling these checks with code snippets, transaction codes, and helpful tips.
Business Scenario: Role-Based Data Access for Sales Data
Consider a company with multiple sales departments, each responsible for different regions. Each department has employees who should only access data relevant to their assigned region. For instance, employees from the North America sales team should only see data related to North America. However, as data is consolidated in a single CDS view, it’s crucial to restrict access based on a user’s assigned region to ensure data security.
Enabling authorization checks on the CDS view allows you to control access so that each user only sees data relevant to their permissions. Let’s walk through the process of configuring authorization checks to secure this data access.
More Such Questions
- How to Create a Fiori Elements App on SAP BTP Using CDS Views
- How to Configure SAP BTP to Securely Access SAP S/4HANA OData Services
- How to Use OData Filters and Query Parameters in SAP Fiori Applications
- How to Optimize CDS Views for Performance in SAP HANA
- How to Set Up Destinations in SAP BTP for Accessing On-Premise OData Services
- How to Test and Debug OData Services in SAP Gateway
- How to Integrate On-Premise SAP Data with SAP BTP Using SAP Cloud Connector
- How to Consume SAP OData Services in SAP UI5 Applications on SAP BTP
- How to Enable Authorization Checks on CDS Views for Secure Data Access
- How to Create and Expose a CDS View with Multiple Joins as an OData Service
- How to Expose a CDS View as an OData Service for SAP BTP Applications
Step 1: Create the CDS View
Start by creating a basic CDS view for sales data with fields like SalesOrderID
, SalesRegion
, CustomerID
, Amount
, and other relevant details. This view will be used as the base for our authorization checks.
Code Example
Here’s a simple CDS view example for sales data:
@AbapCatalog.sqlViewName: 'ZSALES_CDS'
@AccessControl.authorizationCheck: #NOT_REQUIRED
@EndUserText.label: 'Sales Data CDS View'
define view Z_SALES_DATA as select from sales_order
{
key sales_order.SalesOrderID as SalesOrderID,
sales_order.SalesRegion as SalesRegion,
sales_order.CustomerID as CustomerID,
sales_order.Amount as Amount
}
Note: @AccessControl.authorizationCheck: #NOT_REQUIRED
is used initially to allow unrestricted access while setting up the view. We’ll modify this later.
Step 2: Create an Authorization Object
To implement authorization checks, you need an authorization object that specifies the field(s) based on which access will be restricted. In this example, we’ll create an authorization object to control access based on SalesRegion
.
Transaction Code: SU21
- Go to Transaction SU21.
- Choose Create Authorization Object.
- Define the object name, such as
Z_SALES_REGION
. - Add the
SalesRegion
field to this authorization object. - Save and activate the authorization object.
After activation, this object will be used in the authorization check to filter data based on a user’s SalesRegion
assignment.
Step 3: Create an Access Control (DCL) Object for the CDS View
An Access Control (DCL) object links the CDS view to the authorization object created in the previous step. This object specifies the filtering criteria for the view.
Code Example for DCL Object
- Right-click on your CDS view and select New > Other ABAP Repository Object > Data Control Language (DCL).
- Use the following code to define the DCL object:
@EndUserText.label: 'Authorization for Sales Data by Region'
define role Z_SALES_DATA_ACCESS {
grant select on Z_SALES_DATA
where (SalesRegion) = aspect pfcg_auth(Z_SALES_REGION, SalesRegion);
}
Explanation:
define role
: Defines the role that controls access toZ_SALES_DATA
.grant select
: Specifies the CDS view and defines the fields that are checked for authorization.aspect pfcg_auth
: UsesZ_SALES_REGION
to apply restrictions based onSalesRegion
.
Step 4: Assign the Authorization Object to Roles
For users to access specific regions, assign the authorization object to their roles in SAP. This step restricts access based on the criteria set in Z_SALES_REGION
.
Transaction Code: PFCG
- Go to Transaction PFCG.
- Create or edit an existing role.
- Add the authorization object
Z_SALES_REGION
to the role. - Specify values for
SalesRegion
that the user should have access to (e.g., “NA” for North America). - Save and generate the profile.
Now, only users assigned to the role with the appropriate SalesRegion
value will be able to see data for that region in Z_SALES_DATA
.
Step 5: Modify the CDS View for Authorization Check
To enforce the authorization check on your CDS view, update the view by setting @AccessControl.authorizationCheck: #CHECK
.
Updated CDS View Code
@AbapCatalog.sqlViewName: 'ZSALES_CDS'
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Sales Data CDS View with Authorization'
define view Z_SALES_DATA as select from sales_order
{
key sales_order.SalesOrderID as SalesOrderID,
sales_order.SalesRegion as SalesRegion,
sales_order.CustomerID as CustomerID,
sales_order.Amount as Amount
}
This addition enforces the access control set in the DCL object, restricting data visibility based on the user’s SalesRegion
authorization.
Step 6: Test the Authorization Check
To verify the authorization check:
- Log in with a user assigned to a role with restricted access (e.g., access to only “NA” sales data).
- Run a query on
Z_SALES_DATA
. - Confirm that the user can only see data for their assigned
SalesRegion
.
Transaction Code: SE16N or CDS Query Browser
Use SE16N or the CDS Query Browser to run the query and ensure the authorization checks work as expected.
Tips and Best Practices
- Limit Authorization Fields: Be selective with the fields used in authorization objects to avoid complex and resource-intensive access control.
- Use Roles Effectively: Group similar authorizations in roles to simplify maintenance and reduce complexity.
- Leverage DCL for Flexible Rules: DCL allows flexibility in applying authorization rules based on multiple criteria, ensuring robust security.
- Test Thoroughly: Before deploying to production, thoroughly test with various user roles to ensure data visibility aligns with business rules.
- Documentation: Document all authorization objects and roles for better maintenance and future audits.
Summary
Implementing authorization checks in CDS views enhances data security by restricting data access to authorized users based on business requirements. This setup, especially relevant in multi-regional businesses like the sales scenario above, ensures that sensitive data is only accessible to users with the appropriate permissions, protecting both data integrity and privacy. Following the steps outlined—creating the CDS view, defining authorization objects, setting up DCL roles, and assigning user roles—enables secure, role-based data access that meets organizational security policies.