Hi!
對每一個CDS視圖,我們都可以通過DCL(Data Control Language)定義訪問控制。在這篇文章中,我會介紹ABAP CDS視圖中非常重要的一面:權限管理。
本文的闡述基於我正在使用的S4/HANA 1610 on NW 7.51.
內容分為五個部分:
- 標准示例的訪問控制。
- 基於PFCG權限創建一個簡單的例子。
- 帶有CUBE數據類別的CDS分析視圖。
- CDS分析查詢視圖的訪問控制。
- 權限對象的並集(UNION)或者交集(INTERSECTION)。
本文鏈接:http://www.cnblogs.com/hhelibeb/p/7427753.html
1. 標准示例的訪問控制例子
1) 全訪問示例(Full access)
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_FULLACC' @AccessControl.authorizationCheck: #CHECK define view demo_cds_auth_fullaccess as select from scarr { key carrid, carrname, currcode, url };
DCL:
@MappingRole: true define role demo_cds_role_fullaccess { grant select on demo_cds_auth_fullaccess; }
2) 字面條件示例(Literal conditions)
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITERAL' @AccessControl.authorizationCheck: #CHECK define view demo_cds_auth_literal as select from scarr { key carrid, carrname, currcode, url };
DCL:
@MappingRole: true define role demo_cds_role_literal { grant select on demo_cds_auth_literal where carrid = 'LH'; }
3) PFCG權限示例
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_PFCG' @AccessControl.authorizationCheck: #CHECK define view demo_cds_auth_pfcg as select from scarr { key carrid, carrname, currcode, url };
DCL:
@MappingRole: true define role demo_cds_role_pfcg { grant select on demo_cds_auth_pfcg where (carrid) = aspect pfcg_auth (s_carrid, carrid, actvt='03'); }
權限對象s_carrid可以在事務代碼SU21中的BC_C object類下查到。
4) 字面條件和PFCG權限結合示例
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITPFCG' @AccessControl.authorizationCheck: #CHECK define view demo_cds_auth_lit_pfcg as select from scarr { key carrid, carrname, currcode, url };
DCL:
@MappingRole: true define role demo_cds_role_lit_pfcg { grant select on demo_cds_auth_lit_pfcg where (carrid) = aspect pfcg_auth (s_carrid, carrid, actvt='03') and currcode = 'EUR'; }
5) 繼承權限示例
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_INH' @AccessControl.authorizationCheck: #CHECK define view demo_cds_auth_inherited as select from demo_cds_auth_lit_pfcg { key carrid, carrname, currcode, url };
DCL:
@MappingRole: true define role demo_cds_role_inherited { grant select on demo_cds_auth_inherited inherit demo_cds_role_lit_pfcg or currcode = 'USD'; }
在這個例子會顯示USD和EUR類型貨幣的記錄。
6) 根據當前用戶的權限控制示例
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_USR' @AccessControl.authorizationCheck: #CHECK define view demo_cds_auth_user as select from abdocmode { key uname, key langu, flag };
DCL:
@MappingRole: true define role demo_cds_role_user { grant select on demo_cds_auth_user where uname ?= aspect user; }
2. 基於PFCG權限創建一個簡單的例子
復制以下代碼,創建我們自己的CDS視圖:
@AbapCatalog.sqlViewName: 'ZDEMO_CDS_PFCG' @AccessControl.authorizationCheck: #CHECK @EndUserText.label: 'Demo access pfcg' define view Zdemo_Access_Pfcg as select from scarr { key carrid, carrname, currcode, url };
3,現在,如果在HANA Studio中打開數據預覽,我們將可以看到所有記錄。訪問控制目前還不存在。
2,在SU21創建我們自己的自定義權限對象:
對於每個對象定義權限字段和活動字段,加入允許活動“03 顯示”。在本示例中,我們要在ZS_CONNID中添加字段CARRID和CONNID。
3,為ZS_CARRID創建數據控制。
@MappingRole: true define role zdemo_access_pfcg { grant select on Zdemo_Access_Pfcg where (carrid) = aspect pfcg_auth (zs_carrid, carrid, actvt='03'); }
4,在PFCG中創建一個新的角色,在這里添加剛剛創建的權限對象,定義用戶應當看到的基於選擇字段的數據。不要忘記生成配置。為我們的用戶分配角色。
在第一個示例中,我們只使用ZS_CARRID。在文章的后面,我們會用到其它的對象。
5,回到HANA Studio來測試權限。打開我們的CDS視圖的數據預覽:
現在我們只看到了定義好的航空公司(CARRID)字段的記錄。
注意:
- 如果在ABAP字典(SE11)中打開視圖,結果會是全部數據記錄。
- 如果在DDL中修改注解為如下內容,並激活CDS視圖,我們將可以再次在數據預覽中看到全部數據。這意味着檢查已經關閉。
@AccessControl.authorizationCheck: #NOT_ALLOWED
結論:在一個從數據庫表中查詢數據的簡單例子中,我們看到了訪問控制是如何工作的。下面講講CDS分析視圖。
3. 帶有CUBE數據類別的CDS分析視圖
1,通過復制已有的內容創建我們自己的CDS視圖。這是一個帶有CUBE數據分類的CDS視圖(譯注:代碼框出了點問題,大家湊合看下..):
@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ' // Name of the CDS database view in the ABAP Repository @AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls the authorization check. In S4H410 not required @EndUserText.label: 'Available Flights' // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service @VDM.viewType: #CONSUMPTION // This is a CONSUMPTION view @Analytics.query: true // By tagging the CDS view as an analytical query it will be exposed to the analytic manager @OData.publish: true // Generates a suitable OData service, that will use the analytical query, when the CDS entity is activated define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport // A analytical query CDS is implemented using a query select from CDS view Z00_I_FlightByAirport // Take care with OData publishing the max. lenght is 26 characters { @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column Airline Z05_I_FlightByAirport.Airline, // Use the column Airline @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightConnection Z05_I_FlightByAirport.FlightConnection, // Use the column FlightConnection @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightDate Z05_I_FlightByAirport.FlightDate, // Use the column FlightDate @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates a mandatory filter on the values in the field AirportFrom @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportFrom @EndUserText.label: 'Departure Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo Z05_I_FlightByAirport.AirportFrom, // Use the column AirportFrom @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates an optional filter on the values in the field AirportTo @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportTo @EndUserText.label: 'Arrival Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo Z05_I_FlightByAirport.AirportTo, // Use the column AirportTo Z05_I_FlightByAirport.Currency, // Use the column Currency Z05_I_FlightByAirport.AircraftType, // Use the column AircraftType @AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column FlightPrice Z05_I_FlightByAirport.FlightPrice, // Use the column FlightPrice Z05_I_FlightByAirport.MaximumNumberOfSeats, // Use the column MaximumNumberOfSeats Z05_I_FlightByAirport.NumberOfOccupiedSeats, // Use the column NumberOfOccupiedSeats @DefaultAggregation: #FORMULA // Important to know for formular placement is evaluation time. Inside the final query, the evaluation is done after the flightbyairport // view aggragation, so it's not on a very detailed level or even row level, but at the aggragate level. This is important for avarages // as they cannot be evaluated at the detail level @EndUserText.label: 'Available Seats' @AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column NumberOfAvailableSeats Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats // this is a formular (calculated column) }
2,在訪問控制中進行定義:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT' @MappingRole: true define role Z05_ROLE { grant select on Z05_I_FlightByAirport where ( Airline ) = aspect pfcg_auth ( ZS_CARRID, CARRID, actvt = '03' ); }
3,在文章的第2部分,我們在權限對象中添加了ZS_CARRID。在HANA Studio的數據預覽中檢查結果。行數是530.
4,在事務代碼RSRT中檢查結果,行數也是530。結果相同。
5,在BO Analysis for Excel中檢查結果。結果是相同的,對用戶而言,只有選中的航空公司可以被訪問。
注意:沒有AF航空公司的業務數據,這是上面的屏幕未顯示相關數據的原因。
4. CDS分析查詢視圖的訪問控制
1,在第3部分的CUBE CDS中創建一個分析查詢視圖。
@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ' // Name of the CDS database view in the ABAP Repository @AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls the authorization check. In S4H410 not required @EndUserText.label: 'Available Flights' // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service @VDM.viewType: #CONSUMPTION // This is a CONSUMPTION view @Analytics.query: true // By tagging the CDS view as an analytical query it will be exposed to the analytic manager @OData.publish: true // Generates a suitable OData service, that will use the analytical query, when the CDS entity is activated define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport // A analytical query CDS is implemented using a query select from CDS view Z00_I_FlightByAirport // Take care with OData publishing the max. lenght is 26 characters { @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column Airline Z05_I_FlightByAirport.Airline, // Use the column Airline @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightConnection Z05_I_FlightByAirport.FlightConnection, // Use the column FlightConnection @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightDate Z05_I_FlightByAirport.FlightDate, // Use the column FlightDate @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates a mandatory filter on the values in the field AirportFrom @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportFrom @EndUserText.label: 'Departure Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo Z05_I_FlightByAirport.AirportFrom, // Use the column AirportFrom @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates an optional filter on the values in the field AirportTo @AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportTo @EndUserText.label: 'Arrival Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo Z05_I_FlightByAirport.AirportTo, // Use the column AirportTo Z05_I_FlightByAirport.Currency, // Use the column Currency Z05_I_FlightByAirport.AircraftType, // Use the column AircraftType @AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column FlightPrice Z05_I_FlightByAirport.FlightPrice, // Use the column FlightPrice Z05_I_FlightByAirport.MaximumNumberOfSeats, // Use the column MaximumNumberOfSeats Z05_I_FlightByAirport.NumberOfOccupiedSeats, // Use the column NumberOfOccupiedSeats @DefaultAggregation: #FORMULA // Important to know for formular placement is evaluation time. Inside the final query, the evaluation is done after the flightbyairport // view aggragation, so it's not on a very detailed level or even row level, but at the aggragate level. This is important for avarages // as they cannot be evaluated at the detail level @EndUserText.label: 'Available Seats' @AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column NumberOfAvailableSeats Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats // this is a formular (calculated column) }
2,在HANA Studio中進行數據預覽,行數還是4894。看起來CDS分析查詢沒有使用到Cube CDS視圖權限,但是事實並非如此。你並不需要為分析查詢CDS視圖創建額外的訪問控制。
3,在Excel中檢查RSRT或者BO分析的結果。結果表明Cube CDS視圖的權限在分析查詢中起到了作用。
注意:在分析查詢定義中不需要創建任何變量,就像我們在帶有權限的BEx查詢中那樣。
4,修改Cube CDS視圖,添加權限對象ZS_CONNID而非ZS_CARRID。
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT' @MappingRole: true define role Z05_ROLE { grant select on Z05_I_FlightByAirport where ( FlightConnection) = aspect pfcg_auth ( ZS_CONNID, CONNID, actvt = '03' ); }
分析查詢結果變得嚴格了(在第2部分的第4步可以看到ZS_CONNID的定義).
現在結果的行數是212.
5. 權限的並集(UNION)和交集(INTERSECTION)
1,通過“AND”取權限的交集。這里定義了一個新的權限“ZS_FLDAT”,它只包含3天的范圍(2015.02.04 - 2015.02.06)。修改DCL,增加交集:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT' @MappingRole: true define role Z05_ROLE { grant select on Z05_I_FlightByAirport where ( Airline) = aspect pfcg_auth ( ZS_CARRID, CARRID, actvt = '03' ) AND (FlightDate ) = aspect pfcg_auth ( ZS_FLDAT, FLTDATE, actvt = '03' ); }
2,通過“OR”取並集:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT' @MappingRole: true define role Z05_ROLE { grant select on Z05_I_FlightByAirport where ( Airline) = aspect pfcg_auth ( ZS_CARRID, CARRID, actvt = '03' ) OR ( FlightDate ) = aspect pfcg_auth ( ZS_FLDAT, FLTDATE, actvt = '03' ); }
3,如果在一個權限對象中添加這兩個字段,那結果就類似於交集:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT' @MappingRole: true define role Z05_ROLE { grant select on Z05_I_FlightByAirport where ( Airline, FlightDate) = aspect pfcg_auth ( ZS_NEW, CARRID, FLTDATE, actvt = '03' );
注意:不要忘記在Cube CDS視圖的層級定義權限,而非分析視圖層級。如果你在分析查詢層級定義了和第5部分相同的權限,那么:
- 在SAP HANA Studio的數據預覽中,結果看起來是對的。
- 在RSRT, BO Analysis for Excel和其它使用了OLAP引擎的工具中,使用的是Cube CDS視圖的權限(如有定義)。
注意:在HANA Studio的數據預覽中,分析查詢的結果會全部展示。為了糾正這點,可以給分析查詢創建以下訪問控制:
@MappingRole: true define role Z05_ROLE_2 { grant select on Z05_C_FlightByAirportQuery inherit Z05_ROLE; }
結論:你可以為CDS分析視圖定義權限的交集或者並集。
本文結束,感謝關注!
英文原文:ABAP CDS views with Authorization based on Access Control