教程:基于访问控制的ABAP CDS视图权限
Hi!
对每一个CDS视图,我们都可以通过DCL(Data Control Language)定义访问控制。在这篇文章中,我会介绍ABAP CDS视图中非常重要的一面:权限管理。
本文的阐述基于我正在使用的S4/HANA 1610 on NW 7.51.
内容分为五个部分:
- 标准示例的访问控制。
- 基于PFCG权限创建一个简单的例子。
- 带有CUBE数据类别的CDS分析视图。
- CDS分析查询视图的访问控制。
- 权限对象的并集(UNION)或者交集(INTERSECTION)。
本文链接:http://www.cnblogs.com/hhelibeb/p/7427753.html
1. 标准示例的访问控制例子
1) 全访问示例(Full access)
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_FULLACC'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_fullaccess
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};
DCL:
@MappingRole: true
define role demo_cds_role_fullaccess {
grant select on demo_cds_auth_fullaccess; }
2) 字面条件示例(Literal conditions)
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITERAL'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_literal
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};
DCL:
@MappingRole: true
define role demo_cds_role_literal {
grant select on demo_cds_auth_literal
where carrid = 'LH'; }
3) PFCG权限示例
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_pfcg
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};
DCL:
@MappingRole: true
define role demo_cds_role_pfcg {
grant select on demo_cds_auth_pfcg
where (carrid) =
aspect pfcg_auth (s_carrid, carrid, actvt=''); }
权限对象s_carrid可以在事务代码SU21中的BC_C object类下查到。
4) 字面条件和PFCG权限结合示例
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITPFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_lit_pfcg
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};
DCL:
@MappingRole: true
define role demo_cds_role_lit_pfcg {
grant select on demo_cds_auth_lit_pfcg
where (carrid) =
aspect pfcg_auth (s_carrid, carrid, actvt='') and
currcode = 'EUR'; }
5) 继承权限示例
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_INH'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_inherited
as select from
demo_cds_auth_lit_pfcg
{
key carrid,
carrname,
currcode,
url
};
DCL:
@MappingRole: true
define role demo_cds_role_inherited {
grant select on demo_cds_auth_inherited
inherit demo_cds_role_lit_pfcg or currcode = 'USD'; }
在这个例子会显示USD和EUR类型货币的记录。
6) 根据当前用户的权限控制示例
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_USR'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_user
as select from
abdocmode
{
key uname,
key langu,
flag
};
DCL:
@MappingRole: true
define role demo_cds_role_user {
grant select on demo_cds_auth_user
where
uname ?= aspect user; }
2. 基于PFCG权限创建一个简单的例子
复制以下代码,创建我们自己的CDS视图:
@AbapCatalog.sqlViewName: 'ZDEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Demo access pfcg'
define view Zdemo_Access_Pfcg as select from scarr
{
key carrid,
carrname,
currcode,
url
};
3,现在,如果在HANA Studio中打开数据预览,我们将可以看到所有记录。访问控制目前还不存在。
2,在SU21创建我们自己的自定义权限对象:
对于每个对象定义权限字段和活动字段,加入允许活动“03 显示”。在本示例中,我们要在ZS_CONNID中添加字段CARRID和CONNID。
3,为ZS_CARRID创建数据控制。
@MappingRole: true
define role zdemo_access_pfcg {
grant select on Zdemo_Access_Pfcg
where (carrid) =
aspect pfcg_auth (zs_carrid, carrid, actvt=''); }
4,在PFCG中创建一个新的角色,在这里添加刚刚创建的权限对象,定义用户应当看到的基于选择字段的数据。不要忘记生成配置。为我们的用户分配角色。
在第一个示例中,我们只使用ZS_CARRID。在文章的后面,我们会用到其它的对象。
5,回到HANA Studio来测试权限。打开我们的CDS视图的数据预览:
现在我们只看到了定义好的航空公司(CARRID)字段的记录。
注意:
- 如果在ABAP字典(SE11)中打开视图,结果会是全部数据记录。
- 如果在DDL中修改注解为如下内容,并激活CDS视图,我们将可以再次在数据预览中看到全部数据。这意味着检查已经关闭。
@AccessControl.authorizationCheck: #NOT_ALLOWED
结论:在一个从数据库表中查询数据的简单例子中,我们看到了访问控制是如何工作的。下面讲讲CDS分析视图。
3. 带有CUBE数据类别的CDS分析视图
1,通过复制已有的内容创建我们自己的CDS视图。这是一个带有CUBE数据分类的CDS视图(译注:代码框出了点问题,大家凑合看下..):
@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ' // Name of the CDS database view in the ABAP Repository
@AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls the authorization check. In S4H410 not required
@EndUserText.label: 'Available Flights' // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service
@VDM.viewType: #CONSUMPTION // This is a CONSUMPTION view
@Analytics.query: true // By tagging the CDS view as an analytical query it will be exposed to the analytic manager
@OData.publish: true // Generates a suitable OData service, that will use the analytical query, when the CDS entity is activated define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport // A analytical query CDS is implemented using a query select from CDS view Z00_I_FlightByAirport
// Take care with OData publishing the max. lenght is 26 characters
{
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column Airline
Z05_I_FlightByAirport.Airline, // Use the column Airline
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightConnection
Z05_I_FlightByAirport.FlightConnection, // Use the column FlightConnection
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightDate
Z05_I_FlightByAirport.FlightDate, // Use the column FlightDate
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates a mandatory filter on the values in the field AirportFrom
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportFrom
@EndUserText.label: 'Departure Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportFrom, // Use the column AirportFrom
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates an optional filter on the values in the field AirportTo
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportTo
@EndUserText.label: 'Arrival Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportTo, // Use the column AirportTo
Z05_I_FlightByAirport.Currency, // Use the column Currency
Z05_I_FlightByAirport.AircraftType, // Use the column AircraftType
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column FlightPrice
Z05_I_FlightByAirport.FlightPrice, // Use the column FlightPrice
Z05_I_FlightByAirport.MaximumNumberOfSeats, // Use the column MaximumNumberOfSeats
Z05_I_FlightByAirport.NumberOfOccupiedSeats, // Use the column NumberOfOccupiedSeats
@DefaultAggregation: #FORMULA // Important to know for formular placement is evaluation time. Inside the final query, the evaluation is done after the flightbyairport
// view aggragation, so it's not on a very detailed level or even row level, but at the aggragate level. This is important for avarages
// as they cannot be evaluated at the detail level
@EndUserText.label: 'Available Seats'
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column NumberOfAvailableSeats
Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats // this is a formular (calculated column)
}
2,在访问控制中进行定义:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline ) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '' ); }
3,在文章的第2部分,我们在权限对象中添加了ZS_CARRID。在HANA Studio的数据预览中检查结果。行数是530.
4,在事务代码RSRT中检查结果,行数也是530。结果相同。
5,在BO Analysis for Excel中检查结果。结果是相同的,对用户而言,只有选中的航空公司可以被访问。
注意:没有AF航空公司的业务数据,这是上面的屏幕未显示相关数据的原因。
4. CDS分析查询视图的访问控制
1,在第3部分的CUBE CDS中创建一个分析查询视图。
@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ' // Name of the CDS database view in the ABAP Repository
@AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls the authorization check. In S4H410 not required
@EndUserText.label: 'Available Flights' // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service
@VDM.viewType: #CONSUMPTION // This is a CONSUMPTION view
@Analytics.query: true // By tagging the CDS view as an analytical query it will be exposed to the analytic manager
@OData.publish: true // Generates a suitable OData service, that will use the analytical query, when the CDS entity is activated define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport // A analytical query CDS is implemented using a query select from CDS view Z00_I_FlightByAirport
// Take care with OData publishing the max. lenght is 26 characters
{
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column Airline
Z05_I_FlightByAirport.Airline, // Use the column Airline
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightConnection
Z05_I_FlightByAirport.FlightConnection, // Use the column FlightConnection
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightDate
Z05_I_FlightByAirport.FlightDate, // Use the column FlightDate
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates a mandatory filter on the values in the field AirportFrom
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportFrom
@EndUserText.label: 'Departure Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportFrom, // Use the column AirportFrom
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates an optional filter on the values in the field AirportTo
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportTo
@EndUserText.label: 'Arrival Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportTo, // Use the column AirportTo
Z05_I_FlightByAirport.Currency, // Use the column Currency
Z05_I_FlightByAirport.AircraftType, // Use the column AircraftType
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column FlightPrice
Z05_I_FlightByAirport.FlightPrice, // Use the column FlightPrice
Z05_I_FlightByAirport.MaximumNumberOfSeats, // Use the column MaximumNumberOfSeats
Z05_I_FlightByAirport.NumberOfOccupiedSeats, // Use the column NumberOfOccupiedSeats
@DefaultAggregation: #FORMULA // Important to know for formular placement is evaluation time. Inside the final query, the evaluation is done after the flightbyairport
// view aggragation, so it's not on a very detailed level or even row level, but at the aggragate level. This is important for avarages
// as they cannot be evaluated at the detail level
@EndUserText.label: 'Available Seats'
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column NumberOfAvailableSeats
Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats // this is a formular (calculated column)
}
2,在HANA Studio中进行数据预览,行数还是4894。看起来CDS分析查询没有使用到Cube CDS视图权限,但是事实并非如此。你并不需要为分析查询CDS视图创建额外的访问控制。
3,在Excel中检查RSRT或者BO分析的结果。结果表明Cube CDS视图的权限在分析查询中起到了作用。
注意:在分析查询定义中不需要创建任何变量,就像我们在带有权限的BEx查询中那样。
4,修改Cube CDS视图,添加权限对象ZS_CONNID而非ZS_CARRID。
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( FlightConnection) = aspect pfcg_auth ( ZS_CONNID,
CONNID,
actvt = '' ); }
分析查询结果变得严格了(在第2部分的第4步可以看到ZS_CONNID的定义).
现在结果的行数是212.
5. 权限的并集(UNION)和交集(INTERSECTION)
1,通过“AND”取权限的交集。这里定义了一个新的权限“ZS_FLDAT”,它只包含3天的范围(2015.02.04 - 2015.02.06)。修改DCL,增加交集:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '' ) AND
(FlightDate ) =
aspect pfcg_auth ( ZS_FLDAT,
FLTDATE,
actvt = '' ); }
2,通过“OR”取并集:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '' ) OR
( FlightDate ) =
aspect pfcg_auth ( ZS_FLDAT,
FLTDATE,
actvt = '' ); }
3,如果在一个权限对象中添加这两个字段,那结果就类似于交集:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline, FlightDate) =
aspect pfcg_auth ( ZS_NEW,
CARRID,
FLTDATE,
actvt = '' );
注意:不要忘记在Cube CDS视图的层级定义权限,而非分析视图层级。如果你在分析查询层级定义了和第5部分相同的权限,那么:
- 在SAP HANA Studio的数据预览中,结果看起来是对的。
- 在RSRT, BO Analysis for Excel和其它使用了OLAP引擎的工具中,使用的是Cube CDS视图的权限(如有定义)。
注意:在HANA Studio的数据预览中,分析查询的结果会全部展示。为了纠正这点,可以给分析查询创建以下访问控制:
@MappingRole: true
define role Z05_ROLE_2 {
grant select on Z05_C_FlightByAirportQuery
inherit Z05_ROLE; }
结论:你可以为CDS分析视图定义权限的交集或者并集。
本文结束,感谢关注!
英文原文:ABAP CDS views with Authorization based on Access Control
教程:基于访问控制的ABAP CDS视图权限的更多相关文章
- ABAP CDS-介绍(ABAP CDS视图)
前言 文章翻译自Tushar Sharma的文章,转载请注明原作者和译者! 在SAP发展到SAP HANA版本之后,SAP内部的技术正在快速地变化,SAP开发业务应用程序的方式已经发生了范式转变(根本 ...
- 使用ABAP CDS视图创建服务
介绍本文介绍使用ABAP Core Data Services创建OData服务的最快方法. 给出了有关@ OData.publish注释利用率,对数据源CDS实体的引用和从DDIC结构导入的详细信息 ...
- ABAP-Eclipse ADT中创建ABAP CDS视图
Create an ABAP Project in ABAP Development Tools (ADT): https://developers.sap.com/tutorials/abap-cr ...
- ABAP CDS-Part 1(ABAP CDS实体)
文章翻译自Tushar Sharma的文章,转载请注明原作者和译者! 目录 预备条件 一.概述 二.ABAP CDS实体(CDS Entity) a.定义ABAP CDS Views b.ABAP C ...
- ABAP CDS Table Function介绍与示例
Core data services(以下简称CDS)可以指两样东西,一个是HANA CDS,一个是ABAP CDS. 如我们所知,HANA CDS只支持HANA数据库,ABAP CDS理论上支持多种 ...
- 使用PlanViz进行ABAP CDS性能分析
如管理学学者彼得·德鲁克所说:你无法管理你不能衡量的东西( If you can't measure it, you can't manage it).要对已有程序进行性能优化,首先要对它的运行状况做 ...
- 【ABAP CDS系列】ABAP CDS中的系统信息
公众号:SAP Technical 本文作者:matinal 原文出处:http://www.cnblogs.com/SAPmatinal/ 原文链接:[ABAP CDS系列]ABAP CDS中的系统 ...
- CDS测试框架介绍:如何为ABAP CDS Entities写测试
动机 现在大家都知道单元测试对我们代码的好处.并且我们都承认它是开发过程中不可或缺的一部分.但是在把代码切换到数据库的模式下的时候,我们被粗暴地打回了软件测试的黑暗年代...我们现在面临着逻辑下推到A ...
- CDS视图篇 2
核心数据服务 (CDS) 公司希望使用 SAPS/4HANA 核心数据服务 (CDS) 视图技术.需要学习 CDS 视 图的概念和结构以及语法 . ● 核心数据服务是用于业务实体的 SAP 战略建模方 ...
随机推荐
- Spring Data JPA 复杂/多条件组合查询
1: 编写DAO类或接口 dao类/接口 需继承 public interface JpaSpecificationExecutor<T> 接口: 如果需要分页,还可继承 public ...
- JS - 讨论 - 编码习惯 - JavaScript代码到底要不要写分号?
如题:烦请大家在评论区给出原创意见!多谢!
- 51nod_1627:瞬间移动
题目链接:https://www.51nod.com/onlineJudge/questionCode.html#!problemId=1627 还是杨辉三角~ #include<bits/st ...
- static关键字,引发的spring普通类获取spring的bean的思考
在c++和java中static关键字用于修饰静态成员变量和成员函数 举例一个普通的javabean class AA { int a; static int b; geta/seta;//此处省略g ...
- (转)Linux 下 查看以及修改文件权限
场景:Linux环境下远程部署项目,发现因为文件权限问题,不能执行远端的可执行文件.问题还没解决,待议... 1 查看权限 在终端输入: ls -l xxx.xxx (xxx.xxx是文件名) 那么就 ...
- (转)通过Net-Speeder为搬瓦工提升网速
为了解决丢包问题,最简单粗暴的方法就是双倍发送,即同一份数据包发送两份.这样的话在服务器带宽充足情况下,丢包率会平方级降低.直接优点是降低丢包率,直接缺点是耗费双倍流量.一些延伸影响是更容易触发快速恢 ...
- 计算机网络之应用层_part -1
应用层协议原理 一.网络应用程序体系结构 网络应用程序体系结构是由程序研发者设计的,规定了如何在各种端系统中组织该应用程序,主要流行的有两种: 1.客户--服务器体系结构: 有一个总是打开的主机(称为 ...
- 【CSS】less 学习小结
1. less 使用 less 可直接使用浏览器解析 or 使用node 的grunt/gulp 解析成传统css . 推荐开发环境直接使用less 文件调试, 生产环境部署解析好的css 2. l ...
- css 过渡和 变形
一.过渡(transition) transition-property: 指定具有过渡效果的CSS样式属性名 1.默认值: all 2.仅具有中间值(CSS样式值是数值的)的CSS样式具有过渡效果 ...
- Python使用openpyxl读写excel文件
Python使用openpyxl读写excel文件 这是一个第三方库,可以处理xlsx格式的Excel文件.pip install openpyxl安装.如果使用Aanconda,应该自带了. 读取E ...