Hi all,

I'm facing a situation where the data of certain child entities should only be accessible for certain users. I though we would be able to achieve this via CDS access controls and for the display scenario this is indeed working as expected.

Unfortunately though, when a user with restricted access for certain child entities clicks the edit button (of our draft enabled managed RAP BO), all child data is becoming part of the draft and what he could not see in display mode is now available in edit mode. So it seems that the edit action is ignoring the access controls and all child data is copied to the draft tables regardless. Not sure if this is the expected behavior?

Some things I've considered:

- I've been testing with global and instance authorization checks in the behavior implementation, in root and child entities, but it seems those methods do not offer any solutions for read operations.

- I also though we could maybe disable the association via instance features, but that approach seems to be limited to the create operation.

-In the previous A4F programming model we could create our own draft copier class and intervene there in which data was copied to the draft. Is there a similar option for managed BO's in RAP? (without switching to unmanaged)

Note that I'm not considering UI based solutions (like hiding the section or fields via feature control) as the data should not be accessible to the user in any way (by playing with the OData service manually).

Any suggestions? Thanks for the advice!

(working on premise system 2021 FPS01)

Bjorn