Solved: CDS View Authorization

Former Member · ‎10-07-2015

Hi everyone,

I have created a simple CDS View in Eclipse which works really great. Now I try to make some auth-checks like descripted in the docu:

ABAP Keyword Documentation

I have created an DCL Source in Eclipse which looks like this:


@EndUserText.label: 'Auth for Working Place and Ordertype'
@MappingRole: 'true'
define role ZR_TC_AUTH {
    grant select on Zpm_Tc_Order
    where ( vaplz,
            auart,
            werks ) = 
    aspect pfcg_auth (  Z_PM_TC,
                        ARBPL,
                        AUFART,
                        IWERK,
                        ACTVT = '31' );
    
}

In my Backend i have created a custom auth Object called Z_PM_TC. I have assigned this object in a Userrole. Now if i check my cds view in SE11 or Data Preview in Eclipse I get all the same data like before auth check. So auth check is not triggered. Also in Backend trace (ST01) I can't see that a check for my custom auth-object is done. So do I need to make an other connection between DDL and DCL? Or does it require a higher patchlevel? Our system is 740 SP-Level 009

I hope somebody know what im doing wrong.

Thanks for your help

Best Regards

Max

jasmin_gruschke · ‎10-07-2015

Hi Max,
do you see any entries "ACMRT_RULES" in your ST01 trace?

The reason for "get all the same data" might originate from the fact, if you assigned the user role to your user, you'll receive the same data as before. Adding the role to your user, you are not restricting the result set, but you get a logical OR with your other authorizations. One example, your user is allowed to see all company codes and you create a DCL, which limits to one specific company code. When executing now, you'll have the logical OR between all and one specific, so "all" will be retrieved. To check if the DCL is actually working, you can e.g. use a dedicated test user with very limited authorizations (which has just the auth to execute the view/report and has the user role attached which you created).

Hope this helps,
Jasmin

jasmin_gruschke · ‎10-07-2015

Hi Max,
do you see any entries "ACMRT_RULES" in your ST01 trace?

The reason for "get all the same data" might originate from the fact, if you assigned the user role to your user, you'll receive the same data as before. Adding the role to your user, you are not restricting the result set, but you get a logical OR with your other authorizations. One example, your user is allowed to see all company codes and you create a DCL, which limits to one specific company code. When executing now, you'll have the logical OR between all and one specific, so "all" will be retrieved. To check if the DCL is actually working, you can e.g. use a dedicated test user with very limited authorizations (which has just the auth to execute the view/report and has the user role attached which you created).

Hope this helps,
Jasmin

Former Member · ‎10-07-2015

Hi Jasmin,

Thanks for your fast reply. In my Trace i can't find any entries with "ACMRT_RULES". Here is my trace from my Testuser:


16:51:20,139 AUTH            S_TCODE    RC=0  tcode=SE16;TCD=SE16;type=TR;name=SE11;
16:51:20,139 AUTH            S_TABU_DIS RC=0  ACTVT=03;DICBERCLS=;NC=;type=TR;name=SE11;
16:51:20,145 AUTH            S_ALV_LAYO RC=12 ACTVT=23;type=TR;name=SE11;
16:51:20,145 AUTH            S_ALV_LAYR RC=12 ACTVT=23;REPORT=/1BCDWB/DB_ZV_TC_ORDER_;HANDLE= ;LOG_GROUP= ;type=TR;name=SE11;
16:51:20,151 AUTH            S_GUI      RC=12 ACTVT=61;type=TR;name=SE11;
16:51:20,151 AUTH            S_GUI      RC=12 ACTVT=02;type=TR;name=SE11;
16:51:20,187 AUTH            S_GUI      RC=12 ACTVT=61;type=TR;name=SE11;

I have created a Testuser with very little authorizations. But again the ResultSet is the same. I have also try to include conditions directly in the where clause in the dcl file. Also this conditions wouldn't reconginized by the CDS.

Hope you have an other idea. If you need more infos please tell me.

Max

IngoBraeuninger · ‎10-08-2015

Hi Max,

As far as I know the DCL logic is not executed while using the data preview (this is only available in later SP's).

Can you please write a small report, call the view via an OpenSQL statement and check again if the DCL is applied?

best regards,

Ingo

Former Member · ‎10-08-2015

Hi Ingo,

Thanks for your reply. I have created a short report and check it again. But also in this report I get all data. I also tried with my testuser with very little authorization. In trace you can see that no auth is checked:


AUTH            S_TCODE    RC=0  tcode=SA38;TCD=SA38;type=TR;name=SA38;
AUTH            S_PROGRAM  RC=0  tcode=SA38;P_ACTION=SUBMIT;P_GROUP= ;type=TR;name=SA38;

Did i missed to make a linkage between dcl and ddl? I'm really confused whats missing here. Hope somebody have an idea.

@Ingo do you have worked with DCL and get it working correctly?

Max

Former Member · ‎10-09-2015

Hi everyone,

I think I find the "solution". The solution is waiting until SP12 is installed at our system. There this Authorization Concept should be available. Thanks all for your help:)

former_member447091 · ‎07-05-2021

Hi Max,

I am also facing same issue. Can u please tell me how to solve that issue.

https://answers.sap.com/questions/13427672/multidimensional-report.html