10-07-2015 1:13 PM
Hi everyone,
I have created a simple CDS View in Eclipse which works really great. Now I try to make some auth-checks like descripted in the docu:
I have created an DCL Source in Eclipse which looks like this:
@EndUserText.label: 'Auth for Working Place and Ordertype'
@MappingRole: 'true'
define role ZR_TC_AUTH {
grant select on Zpm_Tc_Order
where ( vaplz,
auart,
werks ) =
aspect pfcg_auth ( Z_PM_TC,
ARBPL,
AUFART,
IWERK,
ACTVT = '31' );
}
In my Backend i have created a custom auth Object called Z_PM_TC. I have assigned this object in a Userrole. Now if i check my cds view in SE11 or Data Preview in Eclipse I get all the same data like before auth check. So auth check is not triggered. Also in Backend trace (ST01) I can't see that a check for my custom auth-object is done. So do I need to make an other connection between DDL and DCL? Or does it require a higher patchlevel? Our system is 740 SP-Level 009
I hope somebody know what im doing wrong.
Thanks for your help
Best Regards
Max
10-07-2015 3:18 PM
Hi Max,
do you see any entries "ACMRT_RULES" in your ST01 trace?
The reason for "get all the same data" might originate from the fact, if you assigned the user role to your user, you'll receive the same data as before. Adding the role to your user, you are not restricting the result set, but you get a logical OR with your other authorizations. One example, your user is allowed to see all company codes and you create a DCL, which limits to one specific company code. When executing now, you'll have the logical OR between all and one specific, so "all" will be retrieved. To check if the DCL is actually working, you can e.g. use a dedicated test user with very limited authorizations (which has just the auth to execute the view/report and has the user role attached which you created).
Hope this helps,
Jasmin
10-07-2015 3:18 PM
Hi Max,
do you see any entries "ACMRT_RULES" in your ST01 trace?
The reason for "get all the same data" might originate from the fact, if you assigned the user role to your user, you'll receive the same data as before. Adding the role to your user, you are not restricting the result set, but you get a logical OR with your other authorizations. One example, your user is allowed to see all company codes and you create a DCL, which limits to one specific company code. When executing now, you'll have the logical OR between all and one specific, so "all" will be retrieved. To check if the DCL is actually working, you can e.g. use a dedicated test user with very limited authorizations (which has just the auth to execute the view/report and has the user role attached which you created).
Hope this helps,
Jasmin
10-07-2015 3:56 PM
Hi Jasmin,
Thanks for your fast reply. In my Trace i can't find any entries with "ACMRT_RULES". Here is my trace from my Testuser:
16:51:20,139 AUTH S_TCODE RC=0 tcode=SE16;TCD=SE16;type=TR;name=SE11;
16:51:20,139 AUTH S_TABU_DIS RC=0 ACTVT=03;DICBERCLS=;NC=;type=TR;name=SE11;
16:51:20,145 AUTH S_ALV_LAYO RC=12 ACTVT=23;type=TR;name=SE11;
16:51:20,145 AUTH S_ALV_LAYR RC=12 ACTVT=23;REPORT=/1BCDWB/DB_ZV_TC_ORDER_;HANDLE= ;LOG_GROUP= ;type=TR;name=SE11;
16:51:20,151 AUTH S_GUI RC=12 ACTVT=61;type=TR;name=SE11;
16:51:20,151 AUTH S_GUI RC=12 ACTVT=02;type=TR;name=SE11;
16:51:20,187 AUTH S_GUI RC=12 ACTVT=61;type=TR;name=SE11;
I have created a Testuser with very little authorizations. But again the ResultSet is the same. I have also try to include conditions directly in the where clause in the dcl file. Also this conditions wouldn't reconginized by the CDS.
Hope you have an other idea. If you need more infos please tell me.
Max
10-08-2015 7:55 AM
Hi Max,
As far as I know the DCL logic is not executed while using the data preview (this is only available in later SP's).
Can you please write a small report, call the view via an OpenSQL statement and check again if the DCL is applied?
best regards,
Ingo
10-08-2015 12:23 PM
Hi Ingo,
Thanks for your reply. I have created a short report and check it again. But also in this report I get all data. I also tried with my testuser with very little authorization. In trace you can see that no auth is checked:
AUTH S_TCODE RC=0 tcode=SA38;TCD=SA38;type=TR;name=SA38;
AUTH S_PROGRAM RC=0 tcode=SA38;P_ACTION=SUBMIT;P_GROUP= ;type=TR;name=SA38;
Did i missed to make a linkage between dcl and ddl? I'm really confused whats missing here. Hope somebody have an idea.
@Ingo do you have worked with DCL and get it working correctly?
Max
10-09-2015 9:59 AM
Hi everyone,
I think I find the "solution". The solution is waiting until SP12 is installed at our system. There this Authorization Concept should be available. Thanks all for your help:)
07-05-2021 3:38 AM
Hi Max,
I am also facing same issue. Can u please tell me how to solve that issue.
https://answers.sap.com/questions/13427672/multidimensional-report.html