What does it do? Part of an access condition cds_cond in an access rule of the statement DEFINE ROLE in CDS DCL. The following categories of conditions can be specified, which can be combined using AND or OR:
Literal conditions literal_condition that compare an element of a CDS entity with fixed values.
PFCG conditions pfcg_condition that associate an element of a CDS entity with authorizations in the SAP authorization concept (which are based on authorization objects).
User-defined aspects aspect_condition that join elements in a CDS entity with value sets of any other entity that can itself be addressed using the current user name as a selection condition.
User conditions user_condition as a special case of a literal condition on whose right side the user name of the current user is used as an operand.
Inheritance conditions inherit_condition that apply conditions from other CDS roles.
DCL functions dcl_function are evaluated in the application server before the statement is sent to the database. The currently existing DCL functions return a Boolean predicate and in combination with AND and OR conditions allow enabling or disabling parts of the access conditions based on the function result.
Boolean predicates TRUE and FALSE. These conditions are either always met or not met. They are usually not needed in a role definition, but can be created implicitly in the inheritance of conditions.
The predicate VOID. A condition with the value VOID is handled as nonexistent. VOID conditions are not required in the definition of a role and can be created implicitly in inheritances. The following rules apply in combination with other conditions:
X AND VOID = VOID AND X = X
X OR VOID = VOID OR X = X
NOT VOID = VOID
An access rule cannot consist solely of VOID conditions.
Control structures if_then_else . On the left side of a condition of this type, it is possible to specify elements of the CDS entity for which the access condition is defined directly or using path expressions. The following restrictions apply:
Only certain data types are allowed.
Path expressions path_expr in CDS DCL have the same syntax as path expressions in CDS DDL.
Latest notes:
It is advisable to specify an element in a CDS entity directly in the CDS DCL and to only use path expressions in exceptional cases. More specifically, path expressions with multiple values can have a negative effect on the runtime of a query. NON_V5_HINTS
The way an access condition defined in a CDS role for a CDS entity is represented when the CDS entity is accessed using AB_SQL can be viewed in the SQL Trace tool (transaction ST05), for example as additional common table expressions. This implementation is not fixed, however, and can change between releases. More specifically, if further conditions exist, the part condition that results from a CDS role may be reduced (or even omitted). ABAP_HINT_END
