Prevent unauthorized read access to the data exposed by your service using access control. For this purpose, you create an access control and then implement it for the CDS view on which your service is based.
For the data definitions that you want to protect, you need to define the use of access control.
If you’re using additional data definitions of type projection view, you need to define the use of an access control in them.
-
Add the following line to the data definition of the interface:
@AccessControl.authorizationCheck: #CHECKFor more information, see Access Control Annotations in the documentation of the ABAP RESTful Application Programming Model.
-
If you’re using additional data definitions of type projection view, you also need to define the use of an access control in them.
Even if you have modeled necessary authorizations for your service by creating a new authorization object, the authorization object itself doesn’t protect your service from being accessed by a business user in the ABAP environment. Therefore, as a next step, you implement a read protection for your service. In our example, this means that business users should only be allowed to view bonus calculations whose bonus variant matches with the users' authorization. You implement a read protection using access control, which uses the authorization object that you created.
-
Go to the core data service (CDS) view on which your service is based.
You can find this CDS view under the data definitions of the core data services of your package.
-
To create an access control for the CDS view, follow the instructions of the ABAP CDS Development User Guide: Creating Access Controls and use the template Define Role with PFCG Aspect.
-
If you’re using additional data definitions of type projection view, you also need to create additional access controls for them using the template Define Role with Inherited Conditions.
You must edit the access control code to implement access control for the CDS view on which your service is based. Access control is based on the authorization object that you created before.
-
Choose the access control that you’ve created, which currently looks like the following:
@EndUserText.label: '<your access control description>' @MappingRole: true define role <your access control name> { grant select on ${cds_entity} where (${entity_element_1}, ${entity_element_2}) = aspect pfcg_auth(${authorization_object}, ${authorization_field_1}, ${authorization_field_2}, ${filter_field_1} = '${filter_value_1}'); }
-
Adapt the code so that it grants access if the requesting business user has authorizations that contain authorization object
ZBNSCLC_AO(Bonus Calculation) with allowed activity (ACTVT) 03 Display and bonus variant (ZBNS_VARNT) values that match the bonus variant (bonusvariant) of the existing bonus calculation:@EndUserText.label: 'Access Control for CDS Z_I_BONUS_CALCULATION' @MappingRole: true define role Z_I_BONUS_CALCULATION { grant select on z_i_bonus_calculation where (bonusvariant) = aspect pfcg_auth(ZBNSCLC_AO, ZBNS_VARNT, ACTVT = '03'); }
In our example,
cds_entityis thez_i_bonus_calculationCDS view. -
If you’re using additional data definitions of type projection view, enhance the coding as follows:
@EndUserText.label: '<your access control description>' @MappingRole: true define role <your access control name> { grant select on <your projection view name> where inheriting conditions from entity z_i_bonus_calculation; }
As a result, only business users with the corresponding authorizations get bonus calculations from the service, and they only get bonus calculations with allowed bonus variant values.