Friday, 10 April 2020

Implementing DCL with CDS Views and Roles

I am going to write here about how to use the concept of DCL with CDS views and using roles to provide row based authorizations in UI.

So, DCL stands for Data Control Language. It provides an access control mechanism to restrict the results returned by the CDS view from the database according to conditions. With the help of roles (PFCG), we can also use the same DCL and restrict the results for different categories of users.

Let us look into the process, with the help of an example.

Suppose I have the below database table:

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep


ZARJ_DCL_TEST – The table with the fields MANDT, PID, KEY1, VALUE and NAME.

Now, lets check the data entered for the above table:

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Here in the KEY1 field we can see that we have three country codes, RSA, IND and USA. Now, our aim is to display records with only one or two of these country codes to the user from UI.

So, in the next step, we can create an Implementation CDS View (ZDCL_I_CO) from this table.

@AbapCatalog.sqlViewName: 'ZAR_I_DCL'
@AbapCatalog.compiler.compareFilter: true
@AbapCatalog.preserveKey: true
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'DCL Implementation Test'
define view ZDCL_I_CO as select from zarj_dcl_test {
    key pid as CityUUID,
    key1 as KeyCounCode,
    value as CityCode,
    name  as CityName  
}

Now, consume this implementation view in our next consumption view (ZDCL_C_CO):

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Here is the code:

@AbapCatalog.sqlViewName: 'ZAR_C_DCL'
@AbapCatalog.compiler.compareFilter: true
@AbapCatalog.preserveKey: true
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Consumption DCL'
@VDM.viewType: #CONSUMPTION
@OData.publish: true
@Search.searchable: true
define view ZDCL_C_CO as select from ZDCL_I_CO {
    key CityUUID as CityUUID,
    @Search.defaultSearchElement: true
    @UI.identification: [{position: 10}]
    @UI.selectionField: {position: 10}
    @UI.lineItem: { position: 10} 
    @EndUserText.label: 'Country Code'
    KeyCounCode as KeyCounCode,
    @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false}
    @UI.selectionField: {position: 20}  
    @UI.identification: [{position: 20}]
    @UI.lineItem: { position: 20} 
    @EndUserText.label: 'City Code'
    CityCode as CityCode,
    @UI.lineItem: { position: 30} 
    @EndUserText.label: 'City Name'
    CityName  as CityName 
}

Now, lets check the output by viewing it in the data preview in eclipse:

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Now from here we need to follow the below steps to create a Access Control (DCL)

◉ Create a Authorization Field and Authorization Object
◉ Create a Access Control in Eclipse for the desired CDS view
◉ Create a PFCG role and assign it to the user with authorizations
◉ Create a Fiori App to preview the output (Optional as the output can be viewed in the CDS level itself)

Creating an OData Service and a Fiori Worklist App


As I have mentioned before this step is optional.We can activate the OData Service generated from the above consumption view (due to the @OData.publish: true annotation in line 7). To do this, go to the TCode /n/iwfnd/maint_service and click on the add service button. The below screen will come up.

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Here enter the system alias as “LOCAL” and enter the CDS view name with both preceding and succeeding stars in the Technical Service Name and click on get services. Our CDS generated service should come in the Select Backend Services table below.

Select the checkbox beside the service in the table and click on the add selected services button to add the service. It would prompt a dialog for selecting the transport request for the MPC and DPC classes. Select an transport request or click local object and save it.

Now go to the previous screen and select the filter and enter the service name added on the previous screen and click enter. In this case, it should display the service as below:

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Now in our WebIDE, we can create a List report application with this OData service, to look at the data that is being fetched:

Select the List Report Application in the list of templates-

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Select the proper OData service & in the next screen select all the annotations-

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Select the header collection entity set (This is responsible for the data that is being populated in the first view table)-

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Now, click on finish and run the application with proper run configurations (preferably run the application from the component instead of the index.html). The below screen should appear with both the smart filters and the smart table.

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

We can see that all the country codes and all the data is visible in the UI.

Creating a Authorization Object and Authorization Field


To do this, we make use of the TCodes SU21 and SU20 respectively.

Authorization Field: The authorization fields contain data element fields that are in the form of single values or range value and this value sets which are used for authorizations.

To create an authorization field, we go to the TCode SU20. Click on the Authorization Field button on the top menu bar.

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

In the next screen, enter the desired authorization field name (ZAR_DLC_CC), and the name of the data element you wish to provide authorization for. In our case the data element is ZAR_CN_CO, for the field KEY1 in our se11 table.

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Screenshot of our se11 table field for which we wish to add authorization to:

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Authorization Class/Object: The authorization class is an group of one or more authorization objects. Authorization object is a place where the configurations regarding authorizations and permissions are set up and initialized against the authorization fields.

We do not need to create the authorization class every time we create the authorization object. It can be done only once.

To create the Authorization Class and object, we go to the tcode SU21. All our DCL based authorizations can be collectively placed in an authorization class. We can name it as ZDCL.

So, click on the new button (paper icon) and click on Object Class.

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Enter the details in the below screen and create a class.

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Now,under the class, create an authorization object (ZCOUNCDE). Click on the authorization object button in the above screen. Enter the authorization fields and click on save.

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

On clicking save, the below screen should appear:

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Creating an Access Control with CDS


Now that we have an Authorization Object and a Authorization Field, we need to connect them with our CDS view to make it recognize the DCL. To do this, go to eclipse, right click on the package, click new and select Access Control

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

In the next dialog, Enter the name (ZDCL_C_CO) and description, click on next, in the next screen select an transport request, then click on next.

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Now, in the below screen, for this example, we shall use an “Define Role with Simple Conditions” template. Select this and click on finish.

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Now add the below code in the newly generated access control:

@EndUserText.label: 'Access Control for ZDCL_C_CO CDS View'
@MappingRole: true
define role ZDCL_C_CO {
    grant
        select
            on
                ZDCL_C_CO
                    where ( KeyCounCode ) =   aspect pfcg_auth( ZCOUNCDE, ZAR_DLC_CC ); 
                    //syntax: where ( CDS_FIELD_NAME ) = aspect pfcg_auth ( Authorization_Object, Auth_field )
}

Here the authorization object and authorization field should be same as the one which was defined in the TCodes SU20 and SU21.

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Now save and activate the Access Control.

Creating a role with the authorization object and assigning it to the user


To create a role, we use the TCode PFCG. Open PFCG and enter the desired role name and click on single role-

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

In the next screen enter the short description and go to the users tab. Click on edit and assign the user ids which are going to test and use this application.

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Now go to the authorizations tab and click on display authorization data:

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

In the next screen, we are going to add our authorization object and assign what values we require to be displayed  for the users having this role.

So, in the next screen, if there is any popup requesting for any template click on “Do not select any template”, the in the menu bar, click on the manually icon. This helps us in manually adding the authorization objects of our choice.

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

It will open a popup. There add the authorization object that we have created before and click on continue.

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Now, expand the sub tree, and edit the desired authorization field to add restrictions.

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

To add full authorization enter * or click on full authorization. Else, we can manually enter values or ranges that we require to only appear for  the particular user.

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

In our case, we need to display the records with country code “IND”. So, we can enter the same in the from column and click on save. Now, save the authorization data and click on generate.

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Now, once the profile is generated successfully, if we have assigned the role for our user, we can test the DCL using both the CDS and the front end UI application.

In case of CDS, run the consumption view using the data preview:

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

Also, now we can go to the browser and refresh the FIORI application:

SAP ABAP CDS, SAP ABAP Development, SAP ABAP Guides, SAP ABAP Cert Exam, SAP ABAP Prep

We can see that in both the cases, we only get the records having country code as IND. Thus our DCL is working and adding the authorizations.

Note:

Through this method, we can add authorizations for the display functionality only. To add authorizations for other functionalities such as create, update and delete, we can place our authorization logic in the BOPF determination.

No comments:

Post a Comment