Fork me on GitHub

教程:基于访问控制的ABAP CDS视图权限

Hi!

对每一个CDS视图,我们都可以通过DCL(Data Control Language)定义访问控制。在这篇文章中,我会介绍ABAP CDS视图中非常重要的一面:权限管理。

本文的阐述基于我正在使用的S4/HANA 1610 on NW 7.51.

内容分为五个部分:

  1. 标准示例的访问控制。
  2. 基于PFCG权限创建一个简单的例子。
  3. 带有CUBE数据类别的CDS分析视图。
  4. CDS分析查询视图的访问控制。
  5. 权限对象的并集(UNION)或者交集(INTERSECTION)。

 

本文链接:http://www.cnblogs.com/hhelibeb/p/7427753.html

1. 标准示例的访问控制例子

1) 全访问示例(Full access

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_FULLACC'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_fullaccess
  as select from
    scarr
    {
      key carrid,
          carrname,
          currcode,
          url
    };  

 DCL:

@MappingRole: true
define role demo_cds_role_fullaccess {
  grant select on demo_cds_auth_fullaccess; }

2) 字面条件示例(Literal conditions

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_LITERAL'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_literal
 as select from
 scarr
 {
 key carrid,
 carrname,
 currcode,
 url
 };

DCL:

@MappingRole: true
define role demo_cds_role_literal {
  grant select on demo_cds_auth_literal
  where carrid = 'LH'; }

3) PFCG权限示例

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_pfcg
 as select from
 scarr
 {
 key carrid,
 carrname,
 currcode,
 url
 }; 

DCL:

@MappingRole: true
define role demo_cds_role_pfcg {
  grant select on demo_cds_auth_pfcg
  where (carrid) =
  aspect pfcg_auth (s_carrid, carrid, actvt='03'); }

 权限对象s_carrid可以在事务代码SU21中的BC_C object类下查到。

4) 字面条件和PFCG权限结合示例

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_LITPFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_lit_pfcg
 as select from
 scarr
 {
 key carrid,
 carrname,
 currcode,
 url
 };    

DCL:

@MappingRole: true
define role demo_cds_role_lit_pfcg {
  grant select on demo_cds_auth_lit_pfcg
  where (carrid) =
  aspect pfcg_auth (s_carrid, carrid, actvt='03') and
         currcode = 'EUR'; }

5) 继承权限示例

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_INH'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_inherited
  as select from
    demo_cds_auth_lit_pfcg
    {
      key carrid,
          carrname,
          currcode,
          url
    };  

DCL:

@MappingRole: true
define role demo_cds_role_inherited {
  grant select on demo_cds_auth_inherited
               inherit demo_cds_role_lit_pfcg or currcode = 'USD'; }

在这个例子会显示USD和EUR类型货币的记录。

6) 根据当前用户的权限控制示例

DDL:

@AbapCatalog.sqlViewName: 'DEMO_CDS_USR'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_user
  as select from
    abdocmode
    {
      key uname,
      key langu,
          flag
    };  

DCL:

@MappingRole: true
define role demo_cds_role_user { 
  grant select on demo_cds_auth_user
    where
      uname ?= aspect user; }

2. 基于PFCG权限创建一个简单的例子

复制以下代码,创建我们自己的CDS视图:

@AbapCatalog.sqlViewName: 'ZDEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Demo access pfcg'
define view Zdemo_Access_Pfcg as select from scarr
 {
 key carrid,
 carrname,
 currcode,
 url
 };   

3,现在,如果在HANA Studio中打开数据预览,我们将可以看到所有记录。访问控制目前还不存在。

2,在SU21创建我们自己的自定义权限对象:

对于每个对象定义权限字段和活动字段,加入允许活动“03 显示”。在本示例中,我们要在ZS_CONNID中添加字段CARRID和CONNID。

3,为ZS_CARRID创建数据控制。

@MappingRole: true
define role zdemo_access_pfcg {
  grant select on Zdemo_Access_Pfcg
  where (carrid) =
  aspect pfcg_auth (zs_carrid, carrid, actvt='03'); }

4,在PFCG中创建一个新的角色,在这里添加刚刚创建的权限对象,定义用户应当看到的基于选择字段的数据。不要忘记生成配置。为我们的用户分配角色。

在第一个示例中,我们只使用ZS_CARRID。在文章的后面,我们会用到其它的对象。

5,回到HANA Studio来测试权限。打开我们的CDS视图的数据预览:

现在我们只看到了定义好的航空公司(CARRID)字段的记录。

注意:

  1. 如果在ABAP字典(SE11)中打开视图,结果会是全部数据记录。
  2. 如果在DDL中修改注解为如下内容,并激活CDS视图,我们将可以再次在数据预览中看到全部数据。这意味着检查已经关闭。
@AccessControl.authorizationCheck: #NOT_ALLOWED 

结论:在一个从数据库表中查询数据的简单例子中,我们看到了访问控制是如何工作的。下面讲讲CDS分析视图。

3. 带有CUBE数据类别的CDS分析视图

1,通过复制已有的内容创建我们自己的CDS视图。这是一个带有CUBE数据分类的CDS视图(译注:代码框出了点问题,大家凑合看下..):

 

@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ'                       // Name of the CDS database view in the ABAP Repository
@AccessControl.authorizationCheck: #CHECK              // CDS authorizations, controls the authorization check. In S4H410 not required
@EndUserText.label: 'Available Flights'                         // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service
@VDM.viewType: #CONSUMPTION                                     // This is a CONSUMPTION view
@Analytics.query: true                                          // By tagging the CDS view as an analytical query it will be exposed to the analytic manager
@OData.publish: true                                            // Generates a suitable OData service, that will use the analytical query, when the CDS entity is activated
     
define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport     // A analytical query CDS is implemented using a query select from CDS view Z00_I_FlightByAirport
                                                                                // Take care with OData publishing the max. lenght is 26 characters
{
    @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column Airline
    Z05_I_FlightByAirport.Airline,                              // Use the column Airline
    @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column FlightConnection
    Z05_I_FlightByAirport.FlightConnection,                     // Use the column FlightConnection
    @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column FlightDate
    Z05_I_FlightByAirport.FlightDate,                           // Use the column FlightDate
    @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false }  // Creates a mandatory filter on the values in the field AirportFrom
    @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column AirportFrom
    @EndUserText.label: 'Departure Airport'                     // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
    Z05_I_FlightByAirport.AirportFrom,                          // Use the column AirportFrom
    @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } //  Creates an optional filter on the values in the field AirportTo
    @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column AirportTo
    @EndUserText.label: 'Arrival Airport'                       // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo 
    Z05_I_FlightByAirport.AirportTo,                            // Use the column AirportTo                             
    Z05_I_FlightByAirport.Currency,                             // Use the column Currency  
    Z05_I_FlightByAirport.AircraftType,                         // Use the column AircraftType
    @AnalyticsDetails.query.axis: #COLUMNS                      // Defines the default row/colums apperance for the column FlightPrice
    Z05_I_FlightByAirport.FlightPrice,                          // Use the column FlightPrice
    Z05_I_FlightByAirport.MaximumNumberOfSeats,                 // Use the column MaximumNumberOfSeats
    Z05_I_FlightByAirport.NumberOfOccupiedSeats,                // Use the column NumberOfOccupiedSeats
    @DefaultAggregation: #FORMULA                               // Important to know for formular placement is evaluation time. Inside the final query, the evaluation is done after the flightbyairport
                                                                // view aggragation, so it's not on a very detailed level or even row level, but at the aggragate level. This is important for avarages 
                                                                // as they cannot be evaluated at the detail level 
    @EndUserText.label: 'Available Seats'
    @AnalyticsDetails.query.axis: #COLUMNS                      // Defines the default row/colums apperance for the column NumberOfAvailableSeats
    Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats  // this is a formular (calculated column) 
} 

2,在访问控制中进行定义:

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
    grant select on Z05_I_FlightByAirport
    where ( Airline ) = 
    aspect pfcg_auth (  ZS_CARRID,
                        CARRID,
                        actvt = '03' );
    
}

3,在文章的第2部分,我们在权限对象中添加了ZS_CARRID。在HANA Studio的数据预览中检查结果。行数是530.

 

4,在事务代码RSRT中检查结果,行数也是530。结果相同。

5,在BO Analysis for Excel中检查结果。结果是相同的,对用户而言,只有选中的航空公司可以被访问。

 

注意:没有AF航空公司的业务数据,这是上面的屏幕未显示相关数据的原因。

4. CDS分析查询视图的访问控制

1,在第3部分的CUBE CDS中创建一个分析查询视图。

@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ'                       // Name of the CDS database view in the ABAP Repository
@AccessControl.authorizationCheck: #CHECK              // CDS authorizations, controls the authorization check. In S4H410 not required
@EndUserText.label: 'Available Flights'                         // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service
@VDM.viewType: #CONSUMPTION                                     // This is a CONSUMPTION view
@Analytics.query: true                                          // By tagging the CDS view as an analytical query it will be exposed to the analytic manager
@OData.publish: true                                            // Generates a suitable OData service, that will use the analytical query, when the CDS entity is activated
     
define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport     // A analytical query CDS is implemented using a query select from CDS view Z00_I_FlightByAirport
                                                                                // Take care with OData publishing the max. lenght is 26 characters
{
    @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column Airline
    Z05_I_FlightByAirport.Airline,                              // Use the column Airline
    @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column FlightConnection
    Z05_I_FlightByAirport.FlightConnection,                     // Use the column FlightConnection
    @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column FlightDate
    Z05_I_FlightByAirport.FlightDate,                           // Use the column FlightDate
    @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false }  // Creates a mandatory filter on the values in the field AirportFrom
    @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column AirportFrom
    @EndUserText.label: 'Departure Airport'                     // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
    Z05_I_FlightByAirport.AirportFrom,                          // Use the column AirportFrom
    @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } //  Creates an optional filter on the values in the field AirportTo
    @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column AirportTo
    @EndUserText.label: 'Arrival Airport'                       // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo 
    Z05_I_FlightByAirport.AirportTo,                            // Use the column AirportTo                             
    Z05_I_FlightByAirport.Currency,                             // Use the column Currency  
    Z05_I_FlightByAirport.AircraftType,                         // Use the column AircraftType
    @AnalyticsDetails.query.axis: #COLUMNS                      // Defines the default row/colums apperance for the column FlightPrice
    Z05_I_FlightByAirport.FlightPrice,                          // Use the column FlightPrice
    Z05_I_FlightByAirport.MaximumNumberOfSeats,                 // Use the column MaximumNumberOfSeats
    Z05_I_FlightByAirport.NumberOfOccupiedSeats,                // Use the column NumberOfOccupiedSeats
    @DefaultAggregation: #FORMULA                               // Important to know for formular placement is evaluation time. Inside the final query, the evaluation is done after the flightbyairport
                                                                // view aggragation, so it's not on a very detailed level or even row level, but at the aggragate level. This is important for avarages 
                                                                // as they cannot be evaluated at the detail level 
    @EndUserText.label: 'Available Seats'
    @AnalyticsDetails.query.axis: #COLUMNS                      // Defines the default row/colums apperance for the column NumberOfAvailableSeats
    Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats  // this is a formular (calculated column) 
} 

 

2,在HANA Studio中进行数据预览,行数还是4894。看起来CDS分析查询没有使用到Cube CDS视图权限,但是事实并非如此。你并不需要为分析查询CDS视图创建额外的访问控制。

3,在Excel中检查RSRT或者BO分析的结果。结果表明Cube CDS视图的权限在分析查询中起到了作用。

注意:在分析查询定义中不需要创建任何变量,就像我们在带有权限的BEx查询中那样。

4,修改Cube CDS视图,添加权限对象ZS_CONNID而非ZS_CARRID

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
    grant select on Z05_I_FlightByAirport
     where ( FlightConnection) = aspect pfcg_auth (  ZS_CONNID,
                                                     CONNID,
                                                     actvt = '03' );
    
}

分析查询结果变得严格了(在第2部分的第4步可以看到ZS_CONNID的定义).

现在结果的行数是212.

5. 权限的并集(UNION)和交集(INTERSECTION)

1,通过“AND”取权限的交集。这里定义了一个新的权限“ZS_FLDAT”,它只包含3天的范围(2015.02.04 - 2015.02.06)。修改DCL,增加交集:

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
    grant select on Z05_I_FlightByAirport
     where ( Airline) = 
            aspect pfcg_auth (  ZS_CARRID,
                                CARRID,
                                actvt = '03' ) AND
           (FlightDate ) = 
            aspect pfcg_auth (  ZS_FLDAT,
                                FLTDATE,
                                actvt = '03' );
    
}

2,通过“OR”取并集:

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
    grant select on Z05_I_FlightByAirport
     where ( Airline) = 
            aspect pfcg_auth (  ZS_CARRID,
                                CARRID,
                                actvt = '03' ) OR
           ( FlightDate ) = 
            aspect pfcg_auth (  ZS_FLDAT,
                                FLTDATE,
                                actvt = '03' );
    
}

 3,如果在一个权限对象中添加这两个字段,那结果就类似于交集:

@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
    grant select on Z05_I_FlightByAirport
     where ( Airline, FlightDate) = 
            aspect pfcg_auth (  ZS_NEW,
                                CARRID,
                                FLTDATE,
                                actvt = '03' );

注意:不要忘记在Cube CDS视图的层级定义权限,而非分析视图层级。如果你在分析查询层级定义了和第5部分相同的权限,那么:

  • 在SAP HANA Studio的数据预览中,结果看起来是对的。
  • 在RSRT, BO Analysis for Excel和其它使用了OLAP引擎的工具中,使用的是Cube CDS视图的权限(如有定义)。

注意:在HANA Studio的数据预览中,分析查询的结果会全部展示。为了纠正这点,可以给分析查询创建以下访问控制:

@MappingRole: true
define role Z05_ROLE_2 {
  grant select on Z05_C_FlightByAirportQuery 
               inherit Z05_ROLE; }

结论:你可以为CDS分析视图定义权限的交集或者并集。

 

本文结束,感谢关注!

 

英文原文:ABAP CDS views with Authorization based on Access Control

 
posted @ 2017-08-25 18:05  氢氦  阅读(3758)  评论(0编辑  收藏  举报