Hi!
對每一個CDS視圖,我們都可以通過DCL(Data Control Language)定義通路控制。在這篇文章中,我會介紹ABAP CDS視圖中非常重要的一面:權限管理。
本文的闡述基于我正在使用的S4/HANA 1610 on NW 7.51.
内容分為五個部分:
- 标準示例的通路控制。
- 基于PFCG權限建立一個簡單的例子。
- 帶有CUBE資料類别的CDS分析視圖。
- CDS分析查詢視圖的通路控制。
- 權限對象的并集(UNION)或者交集(INTERSECTION)。
本文連結:http://www.cnblogs.com/hhelibeb/p/7427753.html
1. 标準示例的通路控制例子
1) 全通路示例(Full access)
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_FULLACC'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_fullaccess
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};
DCL:
@MappingRole: true
define role demo_cds_role_fullaccess {
grant select on demo_cds_auth_fullaccess; }
2) 字面條件示例(Literal conditions)
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITERAL'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_literal
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};
DCL:
@MappingRole: true
define role demo_cds_role_literal {
grant select on demo_cds_auth_literal
where carrid = 'LH'; }
3) PFCG權限示例
@AbapCatalog.sqlViewName: 'DEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_pfcg
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};
@MappingRole: true
define role demo_cds_role_pfcg {
grant select on demo_cds_auth_pfcg
where (carrid) =
aspect pfcg_auth (s_carrid, carrid, actvt='03'); }
權限對象s_carrid可以在事務代碼SU21中的BC_C object類下查到。
4) 字面條件和PFCG權限結合示例
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITPFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_lit_pfcg
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};
@MappingRole: true
define role demo_cds_role_lit_pfcg {
grant select on demo_cds_auth_lit_pfcg
where (carrid) =
aspect pfcg_auth (s_carrid, carrid, actvt='03') and
currcode = 'EUR'; }
5) 繼承權限示例
@AbapCatalog.sqlViewName: 'DEMO_CDS_INH'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_inherited
as select from
demo_cds_auth_lit_pfcg
{
key carrid,
carrname,
currcode,
url
};
@MappingRole: true
define role demo_cds_role_inherited {
grant select on demo_cds_auth_inherited
inherit demo_cds_role_lit_pfcg or currcode = 'USD'; }
在這個例子會顯示USD和EUR類型貨币的記錄。
6) 根據目前使用者的權限控制示例
@AbapCatalog.sqlViewName: 'DEMO_CDS_USR'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_user
as select from
abdocmode
{
key uname,
key langu,
flag
};
@MappingRole: true
define role demo_cds_role_user {
grant select on demo_cds_auth_user
where
uname ?= aspect user; }
2. 基于PFCG權限建立一個簡單的例子
複制以下代碼,建立我們自己的CDS視圖:
@AbapCatalog.sqlViewName: 'ZDEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Demo access pfcg'
define view Zdemo_Access_Pfcg as select from scarr
{
key carrid,
carrname,
currcode,
url
};
3,現在,如果在HANA Studio中打開資料預覽,我們将可以看到所有記錄。通路控制目前還不存在。
2,在SU21建立我們自己的自定義權限對象:
對于每個對象定義權限字段和活動字段,加入允許活動“03 顯示”。在本示例中,我們要在ZS_CONNID中添加字段CARRID和CONNID。
3,為ZS_CARRID建立資料控制。
@MappingRole: true
define role zdemo_access_pfcg {
grant select on Zdemo_Access_Pfcg
where (carrid) =
aspect pfcg_auth (zs_carrid, carrid, actvt='03'); }
4,在PFCG中建立一個新的角色,在這裡添加剛剛建立的權限對象,定義使用者應當看到的基于選擇字段的資料。不要忘記生成配置。為我們的使用者配置設定角色。
在第一個示例中,我們隻使用ZS_CARRID。在文章的後面,我們會用到其它的對象。
5,回到HANA Studio來測試權限。打開我們的CDS視圖的資料預覽:
現在我們隻看到了定義好的航空公司(CARRID)字段的記錄。
注意:
- 如果在ABAP字典(SE11)中打開視圖,結果會是全部資料記錄。
- 如果在DDL中修改注解為如下内容,并激活CDS視圖,我們将可以再次在資料預覽中看到全部資料。這意味着檢查已經關閉。
@AccessControl.authorizationCheck: #NOT_ALLOWED
結論:在一個從資料庫表中查詢資料的簡單例子中,我們看到了通路控制是如何工作的。下面講講CDS分析視圖。
3. 帶有CUBE資料類别的CDS分析視圖
1,通過複制已有的内容建立我們自己的CDS視圖。這是一個帶有CUBE資料分類的CDS視圖(譯注:代碼框出了點問題,大家湊合看下..):
@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ' // Name of the CDS database view in the ABAP Repository
@AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls the authorization check. In S4H410 not required
@EndUserText.label: 'Available Flights' // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service
@VDM.viewType: #CONSUMPTION // This is a CONSUMPTION view
@Analytics.query: true // By tagging the CDS view as an analytical query it will be exposed to the analytic manager
@OData.publish: true // Generates a suitable OData service, that will use the analytical query, when the CDS entity is activated
define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport // A analytical query CDS is implemented using a query select from CDS view Z00_I_FlightByAirport
// Take care with OData publishing the max. lenght is 26 characters
{
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column Airline
Z05_I_FlightByAirport.Airline, // Use the column Airline
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightConnection
Z05_I_FlightByAirport.FlightConnection, // Use the column FlightConnection
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightDate
Z05_I_FlightByAirport.FlightDate, // Use the column FlightDate
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates a mandatory filter on the values in the field AirportFrom
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportFrom
@EndUserText.label: 'Departure Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportFrom, // Use the column AirportFrom
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates an optional filter on the values in the field AirportTo
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportTo
@EndUserText.label: 'Arrival Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportTo, // Use the column AirportTo
Z05_I_FlightByAirport.Currency, // Use the column Currency
Z05_I_FlightByAirport.AircraftType, // Use the column AircraftType
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column FlightPrice
Z05_I_FlightByAirport.FlightPrice, // Use the column FlightPrice
Z05_I_FlightByAirport.MaximumNumberOfSeats, // Use the column MaximumNumberOfSeats
Z05_I_FlightByAirport.NumberOfOccupiedSeats, // Use the column NumberOfOccupiedSeats
@DefaultAggregation: #FORMULA // Important to know for formular placement is evaluation time. Inside the final query, the evaluation is done after the flightbyairport
// view aggragation, so it's not on a very detailed level or even row level, but at the aggragate level. This is important for avarages
// as they cannot be evaluated at the detail level
@EndUserText.label: 'Available Seats'
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column NumberOfAvailableSeats
Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats // this is a formular (calculated column)
}
2,在通路控制中進行定義:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline ) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '03' );
}
3,在文章的第2部分,我們在權限對象中添加了ZS_CARRID。在HANA Studio的資料預覽中檢查結果。行數是530.
4,在事務代碼RSRT中檢查結果,行數也是530。結果相同。
5,在BO Analysis for Excel中檢查結果。結果是相同的,對使用者而言,隻有選中的航空公司可以被通路。
注意:沒有AF航空公司的業務資料,這是上面的螢幕未顯示相關資料的原因。
4. CDS分析查詢視圖的通路控制
1,在第3部分的CUBE CDS中建立一個分析查詢視圖。
@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ' // Name of the CDS database view in the ABAP Repository
@AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls the authorization check. In S4H410 not required
@EndUserText.label: 'Available Flights' // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service
@VDM.viewType: #CONSUMPTION // This is a CONSUMPTION view
@Analytics.query: true // By tagging the CDS view as an analytical query it will be exposed to the analytic manager
@OData.publish: true // Generates a suitable OData service, that will use the analytical query, when the CDS entity is activated
define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport // A analytical query CDS is implemented using a query select from CDS view Z00_I_FlightByAirport
// Take care with OData publishing the max. lenght is 26 characters
{
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column Airline
Z05_I_FlightByAirport.Airline, // Use the column Airline
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightConnection
Z05_I_FlightByAirport.FlightConnection, // Use the column FlightConnection
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightDate
Z05_I_FlightByAirport.FlightDate, // Use the column FlightDate
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates a mandatory filter on the values in the field AirportFrom
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportFrom
@EndUserText.label: 'Departure Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportFrom, // Use the column AirportFrom
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates an optional filter on the values in the field AirportTo
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportTo
@EndUserText.label: 'Arrival Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportTo, // Use the column AirportTo
Z05_I_FlightByAirport.Currency, // Use the column Currency
Z05_I_FlightByAirport.AircraftType, // Use the column AircraftType
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column FlightPrice
Z05_I_FlightByAirport.FlightPrice, // Use the column FlightPrice
Z05_I_FlightByAirport.MaximumNumberOfSeats, // Use the column MaximumNumberOfSeats
Z05_I_FlightByAirport.NumberOfOccupiedSeats, // Use the column NumberOfOccupiedSeats
@DefaultAggregation: #FORMULA // Important to know for formular placement is evaluation time. Inside the final query, the evaluation is done after the flightbyairport
// view aggragation, so it's not on a very detailed level or even row level, but at the aggragate level. This is important for avarages
// as they cannot be evaluated at the detail level
@EndUserText.label: 'Available Seats'
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column NumberOfAvailableSeats
Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats // this is a formular (calculated column)
}
2,在HANA Studio中進行資料預覽,行數還是4894。看起來CDS分析查詢沒有使用到Cube CDS視圖權限,但是事實并非如此。你并不需要為分析查詢CDS視圖建立額外的通路控制。
3,在Excel中檢查RSRT或者BO分析的結果。結果表明Cube CDS視圖的權限在分析查詢中起到了作用。
注意:在分析查詢定義中不需要建立任何變量,就像我們在帶有權限的BEx查詢中那樣。
4,修改Cube CDS視圖,添權重限對象ZS_CONNID而非ZS_CARRID。
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( FlightConnection) = aspect pfcg_auth ( ZS_CONNID,
CONNID,
actvt = '03' );
}
分析查詢結果變得嚴格了(在第2部分的第4步可以看到ZS_CONNID的定義).
現在結果的行數是212.
5. 權限的并集(UNION)和交集(INTERSECTION)
1,通過“AND”取權限的交集。這裡定義了一個新的權限“ZS_FLDAT”,它隻包含3天的範圍(2015.02.04 - 2015.02.06)。修改DCL,增加交集:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '03' ) AND
(FlightDate ) =
aspect pfcg_auth ( ZS_FLDAT,
FLTDATE,
actvt = '03' );
}
2,通過“OR”取并集:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '03' ) OR
( FlightDate ) =
aspect pfcg_auth ( ZS_FLDAT,
FLTDATE,
actvt = '03' );
}
3,如果在一個權限對象中添加這兩個字段,那結果就類似于交集:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline, FlightDate) =
aspect pfcg_auth ( ZS_NEW,
CARRID,
FLTDATE,
actvt = '03' );
注意:不要忘記在Cube CDS視圖的層級定義權限,而非分析視圖層級。如果你在分析查詢層級定義了和第5部分相同的權限,那麼:
- 在SAP HANA Studio的資料預覽中,結果看起來是對的。
- 在RSRT, BO Analysis for Excel和其它使用了OLAP引擎的工具中,使用的是Cube CDS視圖的權限(如有定義)。
注意:在HANA Studio的資料預覽中,分析查詢的結果會全部展示。為了糾正這點,可以給分析查詢建立以下通路控制:
@MappingRole: true
define role Z05_ROLE_2 {
grant select on Z05_C_FlightByAirportQuery
inherit Z05_ROLE; }
結論:你可以為CDS分析視圖定義權限的交集或者并集。
本文結束,感謝關注!
英文原文:ABAP CDS views with Authorization based on Access Control