Hi,

I'm implementing the following sample project. The requirement here is to restrict access to SalesOrder and SalesOrderItems entities to users who have authorizations for particular company codes.

model definition

using { cuid, managed } from '@sap/cds/common';
namespace salesorders;

entity SalesOrders {
    key ID: UUID @title: '{i18n>id}' @Core.Computed;
    orderNumber: Integer @title: '{i18n>orderNumber}';
    description: String @title : '{i18n>description}';
    company: String @title : '{i18n>company}';
    items: Composition of many SalesOrderItems;
}

entity SalesOrderItems: cuid {
    key ID: UUID @title: '{i18n>id}' @Core.Computed;
    order: Association to SalesOrders @title: '{i18n>order}';
    product: String @title: '{i18n>product}';
}

service definition

@requires: ['authenticated-user', 'system-user']
service SalesOrderService {
    @odata.draft.enabled
    entity SalesOrders 
     @(restrict: [
            { grant: 'READ', to: 'Viewer', where: 'company = $user.company' },
            { grant: ['READ', 'WRITE'], to: 'Sales', where: 'company = $user.company' },
            { grant: 'READ', to: 'Admin' }
        ])
    as projection on db.SalesOrders;

//  how to apply authorization check based on company?
    entity SalesOrderItems  
    as projection on db.SalesOrderItems;

}

However, on item level we do not have a field "company". Looking at parent's company code isn't possible as mentioned in the question below.

https://answers.sap.com/questions/13013423/how-to-follow-associations-in.html

In RAP, it has the concept of Authorization Dependent as described here.

An entity is defined as authorization dependent (authorization dependent by _Assoc) if the authorization control from the authorization master entity shall also be applied for the operations of this entity.

I think CAP currently doesn't have such a feature, and we have to implement check in event handlers. Is this understanding correct?