SAP CDS DCL CON STRUC

Get Example source ABAP code based on a different SAP table

SAP_ONLY

ABAP_CDS_DCL - Structure of the Access Control Context
The following picture shows the structure of the access control context: Access Control Context
_Containers
__Aggregations
__Aggregated Element A
__Aggregated Element B
__Grouping
__Grouped Element C
__Grouped Element D
__Gate Fields
__Gated Field U
__Gate Value 1 for Field U
__Gate Value 2 for Field U
__Gated Field V
__Gate Value 1 for Field V
__Protected Element Masking
__Entity X
__Element G
__Masking Value for Element G in Entity X
__Element H
__Masking Value for Element H in Entity X
__Entity Y
__Element J
__Masking Value for Element J in Entity Y
__NAMESPACE1
__NODE1
__Value 11
__NODE2
__NODE21
__NODE22
__Value221
__Value222
__NAMESPACE2
...
Text in bold indicates structure components that are singletons in the sense that they can only be written by a single ABAP code layer during creation. For more details, refer to the section Creating an Access Control Context below.

Containers
Containers are predefined sections in the access control context that can be addressed

by constants in the ABAP class that creates the access control context and

by the DCL grammar that consumes the access control context.
They primarily serve as an aid in the communication between frameworks and consumers.
Currently, containers exist to express the following types of information:

Aggregations The child nodes of this container are the elements that are aggregated using an aggregate function, such as AVG, MAX, MIN , .... The type of the aggregation is unspecified.

Grouping The child nodes of this container are the elements by which the result is grouped using a GROUP BY clause.

Gate Fields The child nodes of this container are the fields for which gate values are supplied (see CONTEXT_NODE_VALUES). The child nodes of the field nodes are the gate values (0..*).

Protected Element Masking The child nodes of this container are entity names. The child nodes of the entity node(s) are the elements for which masking values are provided. The element nodes can have at most one value that acts as a masking value. If no value is provided, the masking value is the null value.

Namespaces
For use cases where the predefined containers are not sufficient, applications can request to receive a namespace in which they can create their own data structures.
Providing a namespace is a development task in component BC-SEC-AUT-DCL and must be requested there.
The two existing namespaces TEST_ACM_1 and TEST_ACM_2 are reserved for testing purposes of the access control component and must not be used by applications, unless the permission to do so is explicitly granted.

Creating an Access Control Context
The access control context is created using the ABAP class CL_ACM_ACCESS_CONTROL_CONTEXT, whose use is described in its ABAP Workbench documentation. Before using this class, permission from BC-SEC-AUT-DCL is required.
The access control context as created by the class must be passed to the runtime system using a service method. The data is then valid for the source code in the current ABAP call stack after this line, and for called methods from this point on. However, it is discarded when the current stack frame is left.
If several layers of ABAP code want to use the access control context to pass data to the runtime system, conflicts can occur if two layers want to provide the same type of data. This is prevented by an exception when the access control context is set.
In the above diagram, the bold written parts are such singletons, which can only be accessed by a single layer of ABAP code. For example, only a single layer can specify the grouping fields, while protected element masking can be specified by different layers, unless they operate on different entities.