教程:基于访问控制的ABAP CDS视图权限
Hi!
对每一个CDS视图,我们都可以通过DCL(Data Control Language)定义访问控制。在这篇文章中,我会介绍ABAP CDS视图中非常重要的一面:权限管理。
本文的阐述基于我正在使用的S4/HANA 1610 on NW 7.51.
内容分为五个部分:
- 标准示例的访问控制。
- 基于PFCG权限创建一个简单的例子。
- 带有CUBE数据类别的CDS分析视图。
- CDS分析查询视图的访问控制。
- 权限对象的并集(UNION)或者交集(INTERSECTION)。
本文链接:http://www.cnblogs.com/hhelibeb/p/7427753.html
1. 标准示例的访问控制例子
1) 全访问示例(Full access)
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_FULLACC' @AccessControl.authorizationCheck: #CHECK define view demo_cds_auth_fullaccess as select from scarr { key carrid, carrname, currcode, url };
DCL:
@MappingRole: true define role demo_cds_role_fullaccess { grant select on demo_cds_auth_fullaccess; }
2) 字面条件示例(Literal conditions)
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITERAL' @AccessControl.authorizationCheck: #CHECK define view demo_cds_auth_literal as select from scarr { key carrid, carrname, currcode, url };
DCL:
@MappingRole: true define role demo_cds_role_literal { grant select on demo_cds_auth_literal where carrid = 'LH'; }
3) PFCG权限示例
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_PFCG' @AccessControl.authorizationCheck: #CHECK define view demo_cds_auth_pfcg as select from scarr { key carrid, carrname, currcode, url };
DCL:
@MappingRole: true define role demo_cds_role_pfcg { grant select on demo_cds_auth_pfcg where (carrid) = aspect pfcg_auth (s_carrid, carrid, actvt='03'); }
权限对象s_carrid可以在事务代码SU21中的BC_C object类下查到。
4) 字面条件和PFCG权限结合示例
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITPFCG' @AccessControl.authorizationCheck: #CHECK define view demo_cds_auth_lit_pfcg as select from scarr { key carrid, carrname, currcode, url };
DCL:
@MappingRole: true define role demo_cds_role_lit_pfcg { grant select on demo_cds_auth_lit_pfcg where (carrid) = aspect pfcg_auth (s_carrid, carrid, actvt='03') and currcode = 'EUR'; }
5) 继承权限示例
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_INH' @AccessControl.authorizationCheck: #CHECK define view demo_cds_auth_inherited as select from demo_cds_auth_lit_pfcg { key carrid, carrname, currcode, url };
DCL:
@MappingRole: true define role demo_cds_role_inherited { grant select on demo_cds_auth_inherited inherit demo_cds_role_lit_pfcg or currcode = 'USD'; }
在这个例子会显示USD和EUR类型货币的记录。
6) 根据当前用户的权限控制示例
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_USR' @AccessControl.authorizationCheck: #CHECK define view demo_cds_auth_user as select from abdocmode { key uname, key langu, flag };
DCL:
@MappingRole: true define role demo_cds_role_user { grant select on demo_cds_auth_user where uname ?= aspect user; }
2. 基于PFCG权限创建一个简单的例子
复制以下代码,创建我们自己的CDS视图:
@AbapCatalog.sqlViewName: 'ZDEMO_CDS_PFCG' @AccessControl.authorizationCheck: #CHECK @EndUserText.label: 'Demo access pfcg' define view Zdemo_Access_Pfcg as select from scarr { key carrid, carrname, currcode, url };
3,现在,如果在HANA Studio中打开数据预览,我们将可以看到所有记录。访问控制目前还不存在。
2,在SU21创建我们自己的自定义权限对象:
对于每个对象定义权限字段和活动字段,加入允许活动“03 显示”。在本示例中,我们要在ZS_CONNID中添加字段CARRID和CONNID。
3,为ZS_CARRID创建数据控制。
@MappingRole: true define role zdemo_access_pfcg { grant select on Zdemo_Access_Pfcg where (carrid) = aspect pfcg_auth (zs_carrid, carrid, actvt='03'); }
4,在PFCG中创建一个新的角色,在这里添加刚刚创建的权限对象,定义用户应当看到的基于选择字段的数据。不要忘记生成配置。为我们的用户分配角色。
在第一个示例中,我们只使用ZS_CARRID。在文章的后面,我们会用到其它的对象。
5,回到HANA Studio来测试权限。打开我们的CDS视图的数据预览:
现在我们只看到了定义好的航空公司(CARRID)字段的记录。
注意:
- 如果在ABAP字典(SE11)中打开视图,结果会是全部数据记录。
- 如果在DDL中修改注解为如下内容,并激活CDS视图,我们将可以再次在数据预览中看到全部数据。这意味着检查已经关闭。
@AccessControl.authorizationCheck: #NOT_ALLOWED
结论:在一个从数据库表中查询数据的简单例子中,我们看到了访问控制是如何工作的。下面讲讲CDS分析视图。
3. 带有CUBE数据类别的CDS分析视图
1,通过复制已有的内容创建我们自己的CDS视图。这是一个带有CUBE数据分类的CDS视图(译注:代码框出了点问题,大家凑合看下..):
@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ' // Name of the CDS database view in the ABAP Repository @AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls the authorization check. In S4H410 not required @EndUserText.label: 'Available Flights' // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service @VDM.viewType: #CONSUMPTION // This is a CONSUMPTION view @Analytics.query: true // By tagging the CDS view as an analytical query it will be exposed to the analytic manager @OData.publish: true // Generates a suitable OData service, that will use the analytical query, when the CDS entity is activated define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport // A analytical query CDS is implemented using a query select from CDS view Z00_I_FlightByAirport // Take care with OData publishing the max. lenght is 26 characters { @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column Airline Z05_I_FlightByAirport.Airline, // Use the column Airline @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightConnection Z05_I_FlightByAirport.FlightConnection, // Use the column FlightConnection @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightDate Z05_I_FlightByAirport.FlightDate, // Use the column FlightDate @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates a mandatory filter on the values in the field AirportFrom @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportFrom @EndUserText.label: 'Departure Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo Z05_I_FlightByAirport.AirportFrom, // Use the column AirportFrom @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates an optional filter on the values in the field AirportTo @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportTo @EndUserText.label: 'Arrival Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo Z05_I_FlightByAirport.AirportTo, // Use the column AirportTo Z05_I_FlightByAirport.Currency, // Use the column Currency Z05_I_FlightByAirport.AircraftType, // Use the column AircraftType @AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column FlightPrice Z05_I_FlightByAirport.FlightPrice, // Use the column FlightPrice Z05_I_FlightByAirport.MaximumNumberOfSeats, // Use the column MaximumNumberOfSeats Z05_I_FlightByAirport.NumberOfOccupiedSeats, // Use the column NumberOfOccupiedSeats @DefaultAggregation: #FORMULA // Important to know for formular placement is evaluation time. Inside the final query, the evaluation is done after the flightbyairport // view aggragation, so it's not on a very detailed level or even row level, but at the aggragate level. This is important for avarages // as they cannot be evaluated at the detail level @EndUserText.label: 'Available Seats' @AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column NumberOfAvailableSeats Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats // this is a formular (calculated column) }
2,在访问控制中进行定义:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT' @MappingRole: true define role Z05_ROLE { grant select on Z05_I_FlightByAirport where ( Airline ) = aspect pfcg_auth ( ZS_CARRID, CARRID, actvt = '03' ); }
3,在文章的第2部分,我们在权限对象中添加了ZS_CARRID。在HANA Studio的数据预览中检查结果。行数是530.
4,在事务代码RSRT中检查结果,行数也是530。结果相同。
5,在BO Analysis for Excel中检查结果。结果是相同的,对用户而言,只有选中的航空公司可以被访问。
注意:没有AF航空公司的业务数据,这是上面的屏幕未显示相关数据的原因。
4. CDS分析查询视图的访问控制
1,在第3部分的CUBE CDS中创建一个分析查询视图。
@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ' // Name of the CDS database view in the ABAP Repository @AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls the authorization check. In S4H410 not required @EndUserText.label: 'Available Flights' // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service @VDM.viewType: #CONSUMPTION // This is a CONSUMPTION view @Analytics.query: true // By tagging the CDS view as an analytical query it will be exposed to the analytic manager @OData.publish: true // Generates a suitable OData service, that will use the analytical query, when the CDS entity is activated define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport // A analytical query CDS is implemented using a query select from CDS view Z00_I_FlightByAirport // Take care with OData publishing the max. lenght is 26 characters { @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column Airline Z05_I_FlightByAirport.Airline, // Use the column Airline @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightConnection Z05_I_FlightByAirport.FlightConnection, // Use the column FlightConnection @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightDate Z05_I_FlightByAirport.FlightDate, // Use the column FlightDate @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates a mandatory filter on the values in the field AirportFrom @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportFrom @EndUserText.label: 'Departure Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo Z05_I_FlightByAirport.AirportFrom, // Use the column AirportFrom @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates an optional filter on the values in the field AirportTo @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportTo @EndUserText.label: 'Arrival Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo Z05_I_FlightByAirport.AirportTo, // Use the column AirportTo Z05_I_FlightByAirport.Currency, // Use the column Currency Z05_I_FlightByAirport.AircraftType, // Use the column AircraftType @AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column FlightPrice Z05_I_FlightByAirport.FlightPrice, // Use the column FlightPrice Z05_I_FlightByAirport.MaximumNumberOfSeats, // Use the column MaximumNumberOfSeats Z05_I_FlightByAirport.NumberOfOccupiedSeats, // Use the column NumberOfOccupiedSeats @DefaultAggregation: #FORMULA // Important to know for formular placement is evaluation time. Inside the final query, the evaluation is done after the flightbyairport // view aggragation, so it's not on a very detailed level or even row level, but at the aggragate level. This is important for avarages // as they cannot be evaluated at the detail level @EndUserText.label: 'Available Seats' @AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column NumberOfAvailableSeats Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats // this is a formular (calculated column) }
2,在HANA Studio中进行数据预览,行数还是4894。看起来CDS分析查询没有使用到Cube CDS视图权限,但是事实并非如此。你并不需要为分析查询CDS视图创建额外的访问控制。
3,在Excel中检查RSRT或者BO分析的结果。结果表明Cube CDS视图的权限在分析查询中起到了作用。
注意:在分析查询定义中不需要创建任何变量,就像我们在带有权限的BEx查询中那样。
4,修改Cube CDS视图,添加权限对象ZS_CONNID而非ZS_CARRID。
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT' @MappingRole: true define role Z05_ROLE { grant select on Z05_I_FlightByAirport where ( FlightConnection) = aspect pfcg_auth ( ZS_CONNID, CONNID, actvt = '03' ); }
分析查询结果变得严格了(在第2部分的第4步可以看到ZS_CONNID的定义).
现在结果的行数是212.
5. 权限的并集(UNION)和交集(INTERSECTION)
1,通过“AND”取权限的交集。这里定义了一个新的权限“ZS_FLDAT”,它只包含3天的范围(2015.02.04 - 2015.02.06)。修改DCL,增加交集:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT' @MappingRole: true define role Z05_ROLE { grant select on Z05_I_FlightByAirport where ( Airline) = aspect pfcg_auth ( ZS_CARRID, CARRID, actvt = '03' ) AND (FlightDate ) = aspect pfcg_auth ( ZS_FLDAT, FLTDATE, actvt = '03' ); }
2,通过“OR”取并集:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT' @MappingRole: true define role Z05_ROLE { grant select on Z05_I_FlightByAirport where ( Airline) = aspect pfcg_auth ( ZS_CARRID, CARRID, actvt = '03' ) OR ( FlightDate ) = aspect pfcg_auth ( ZS_FLDAT, FLTDATE, actvt = '03' ); }
3,如果在一个权限对象中添加这两个字段,那结果就类似于交集:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT' @MappingRole: true define role Z05_ROLE { grant select on Z05_I_FlightByAirport where ( Airline, FlightDate) = aspect pfcg_auth ( ZS_NEW, CARRID, FLTDATE, actvt = '03' );
注意:不要忘记在Cube CDS视图的层级定义权限,而非分析视图层级。如果你在分析查询层级定义了和第5部分相同的权限,那么:
- 在SAP HANA Studio的数据预览中,结果看起来是对的。
- 在RSRT, BO Analysis for Excel和其它使用了OLAP引擎的工具中,使用的是Cube CDS视图的权限(如有定义)。
注意:在HANA Studio的数据预览中,分析查询的结果会全部展示。为了纠正这点,可以给分析查询创建以下访问控制:
@MappingRole: true define role Z05_ROLE_2 { grant select on Z05_C_FlightByAirportQuery inherit Z05_ROLE; }
结论:你可以为CDS分析视图定义权限的交集或者并集。
本文结束,感谢关注!
英文原文:ABAP CDS views with Authorization based on Access Control
