Skip to Content
Oct 12, 2021 at 12:58 AM

CAP: Authorization Dependent concept



I'm implementing the following sample project. The requirement here is to restrict access to SalesOrder and SalesOrderItems entities to users who have authorizations for particular company codes.

model definition

using { cuid, managed } from '@sap/cds/common';
namespace salesorders;

entity SalesOrders {
    key ID: UUID @title: '{i18n>id}' @Core.Computed;
    orderNumber: Integer @title: '{i18n>orderNumber}';
    description: String @title : '{i18n>description}';
    company: String @title : '{i18n>company}';
    items: Composition of many SalesOrderItems;

entity SalesOrderItems: cuid {
    key ID: UUID @title: '{i18n>id}' @Core.Computed;
    order: Association to SalesOrders @title: '{i18n>order}';
    product: String @title: '{i18n>product}';

service definition

@requires: ['authenticated-user', 'system-user']
service SalesOrderService {
    entity SalesOrders 
     @(restrict: [
            { grant: 'READ', to: 'Viewer', where: 'company = $' },
            { grant: ['READ', 'WRITE'], to: 'Sales', where: 'company = $' },
            { grant: 'READ', to: 'Admin' }
    as projection on db.SalesOrders;

//  how to apply authorization check based on company?
    entity SalesOrderItems  
    as projection on db.SalesOrderItems;


However, on item level we do not have a field "company". Looking at parent's company code isn't possible as mentioned in the question below.

In RAP, it has the concept of Authorization Dependent as described here.

An entity is defined as authorization dependent (authorization dependent by _Assoc) if the authorization control from the authorization master entity shall also be applied for the operations of this entity.

I think CAP currently doesn't have such a feature, and we have to implement check in event handlers. Is this understanding correct?