How to Enable Authorization Checks on CDS Views for Secure Data Access

In SAP S/4HANA and ABAP systems, CDS (Core Data Services) views serve as powerful tools for modeling data directly on the database level, providing a seamless and optimized way to access data. However, to ensure secure data access, it’s essential to implement authorization checks, particularly when sensitive business data is exposed through these views.

This guide explains a practical business scenario where authorization checks are needed on a CDS view and provides a step-by-step solution for enabling these checks with code snippets, transaction codes, and helpful tips.

Business Scenario: Role-Based Data Access for Sales Data

Consider a company with multiple sales departments, each responsible for different regions. Each department has employees who should only access data relevant to their assigned region. For instance, employees from the North America sales team should only see data related to North America. However, as data is consolidated in a single CDS view, it’s crucial to restrict access based on a user’s assigned region to ensure data security.

Enabling authorization checks on the CDS view allows you to control access so that each user only sees data relevant to their permissions. Let’s walk through the process of configuring authorization checks to secure this data access.

More Such Questions

Step 1: Create the CDS View

Start by creating a basic CDS view for sales data with fields like SalesOrderID, SalesRegion, CustomerID, Amount, and other relevant details. This view will be used as the base for our authorization checks.

Code Example

Here’s a simple CDS view example for sales data:

@AbapCatalog.sqlViewName: 'ZSALES_CDS'
@AccessControl.authorizationCheck: #NOT_REQUIRED
@EndUserText.label: 'Sales Data CDS View'

define view Z_SALES_DATA as select from sales_order
{
key sales_order.SalesOrderID as SalesOrderID,
sales_order.SalesRegion as SalesRegion,
sales_order.CustomerID as CustomerID,
sales_order.Amount as Amount
}

Note: @AccessControl.authorizationCheck: #NOT_REQUIRED is used initially to allow unrestricted access while setting up the view. We’ll modify this later.

Step 2: Create an Authorization Object

To implement authorization checks, you need an authorization object that specifies the field(s) based on which access will be restricted. In this example, we’ll create an authorization object to control access based on SalesRegion.

Transaction Code: SU21

  1. Go to Transaction SU21.
  2. Choose Create Authorization Object.
  3. Define the object name, such as Z_SALES_REGION.
  4. Add the SalesRegion field to this authorization object.
  5. Save and activate the authorization object.

After activation, this object will be used in the authorization check to filter data based on a user’s SalesRegion assignment.

Step 3: Create an Access Control (DCL) Object for the CDS View

An Access Control (DCL) object links the CDS view to the authorization object created in the previous step. This object specifies the filtering criteria for the view.

Code Example for DCL Object

  1. Right-click on your CDS view and select New > Other ABAP Repository Object > Data Control Language (DCL).
  2. Use the following code to define the DCL object:
@EndUserText.label: 'Authorization for Sales Data by Region'

define role Z_SALES_DATA_ACCESS {
grant select on Z_SALES_DATA
where (SalesRegion) = aspect pfcg_auth(Z_SALES_REGION, SalesRegion);
}

Explanation:

  • define role: Defines the role that controls access to Z_SALES_DATA.
  • grant select: Specifies the CDS view and defines the fields that are checked for authorization.
  • aspect pfcg_auth: Uses Z_SALES_REGION to apply restrictions based on SalesRegion.

Step 4: Assign the Authorization Object to Roles

For users to access specific regions, assign the authorization object to their roles in SAP. This step restricts access based on the criteria set in Z_SALES_REGION.

Transaction Code: PFCG

  1. Go to Transaction PFCG.
  2. Create or edit an existing role.
  3. Add the authorization object Z_SALES_REGION to the role.
  4. Specify values for SalesRegion that the user should have access to (e.g., “NA” for North America).
  5. Save and generate the profile.

Now, only users assigned to the role with the appropriate SalesRegion value will be able to see data for that region in Z_SALES_DATA.

Step 5: Modify the CDS View for Authorization Check

To enforce the authorization check on your CDS view, update the view by setting @AccessControl.authorizationCheck: #CHECK.

Updated CDS View Code

@AbapCatalog.sqlViewName: 'ZSALES_CDS'
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Sales Data CDS View with Authorization'

define view Z_SALES_DATA as select from sales_order
{
key sales_order.SalesOrderID as SalesOrderID,
sales_order.SalesRegion as SalesRegion,
sales_order.CustomerID as CustomerID,
sales_order.Amount as Amount
}

This addition enforces the access control set in the DCL object, restricting data visibility based on the user’s SalesRegion authorization.

Step 6: Test the Authorization Check

To verify the authorization check:

  1. Log in with a user assigned to a role with restricted access (e.g., access to only “NA” sales data).
  2. Run a query on Z_SALES_DATA.
  3. Confirm that the user can only see data for their assigned SalesRegion.

Transaction Code: SE16N or CDS Query Browser

Use SE16N or the CDS Query Browser to run the query and ensure the authorization checks work as expected.

Tips and Best Practices

  • Limit Authorization Fields: Be selective with the fields used in authorization objects to avoid complex and resource-intensive access control.
  • Use Roles Effectively: Group similar authorizations in roles to simplify maintenance and reduce complexity.
  • Leverage DCL for Flexible Rules: DCL allows flexibility in applying authorization rules based on multiple criteria, ensuring robust security.
  • Test Thoroughly: Before deploying to production, thoroughly test with various user roles to ensure data visibility aligns with business rules.
  • Documentation: Document all authorization objects and roles for better maintenance and future audits.

Summary

Implementing authorization checks in CDS views enhances data security by restricting data access to authorized users based on business requirements. This setup, especially relevant in multi-regional businesses like the sales scenario above, ensures that sensitive data is only accessible to users with the appropriate permissions, protecting both data integrity and privacy. Following the steps outlined—creating the CDS view, defining authorization objects, setting up DCL roles, and assigning user roles—enables secure, role-based data access that meets organizational security policies.

Leave a Comment