on 10-12-2021 1:58 AM
Hi,
I'm implementing the following sample project. The requirement here is to restrict access to SalesOrder and SalesOrderItems entities to users who have authorizations for particular company codes.
model definition
using { cuid, managed } from '@sap/cds/common';
namespace salesorders;
entity SalesOrders {
key ID: UUID @title: '{i18n>id}' @Core.Computed;
orderNumber: Integer @title: '{i18n>orderNumber}';
description: String @title : '{i18n>description}';
company: String @title : '{i18n>company}';
items: Composition of many SalesOrderItems;
}
entity SalesOrderItems: cuid {
key ID: UUID @title: '{i18n>id}' @Core.Computed;
order: Association to SalesOrders @title: '{i18n>order}';
product: String @title: '{i18n>product}';
}
service definition
@requires: ['authenticated-user', 'system-user']
service SalesOrderService {
@odata.draft.enabled
entity SalesOrders
@(restrict: [
{ grant: 'READ', to: 'Viewer', where: 'company = $user.company' },
{ grant: ['READ', 'WRITE'], to: 'Sales', where: 'company = $user.company' },
{ grant: 'READ', to: 'Admin' }
])
as projection on db.SalesOrders;
// how to apply authorization check based on company?
entity SalesOrderItems
as projection on db.SalesOrderItems;
}
However, on item level we do not have a field "company". Looking at parent's company code isn't possible as mentioned in the question below.
https://answers.sap.com/questions/13013423/how-to-follow-associations-in.html
In RAP, it has the concept of Authorization Dependent as described here.
An entity is defined as authorization dependent (authorization dependent by _Assoc) if the authorization control from the authorization master entity shall also be applied for the operations of this entity.
I think CAP currently doesn't have such a feature, and we have to implement check in event handlers. Is this understanding correct?
As a workaround, I have exposed the company field to SalesOrderItems entity. This way, I don't have to write event handler logic.
@(restrict: [
{ grant: 'READ', to: 'Viewer', where: 'company = $user.company' },
{ grant: ['READ', 'WRITE'], to: 'Sales', where: 'company = $user.company' },
{ grant: 'READ', to: 'Admin' }
])
entity SalesOrderItems as select from db.SalesOrderItems {*,
order.company as company};<br>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
78 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.