What does it do? Defines a PFCG mapping pfcg_mapping as part of a CDS access policy defined using DEFINE ACCESSPOLICY. The name of the PFCG mapping must match the name of the CDS access policy. The definition of a PCFG mapping contains the following:
A comma-separated list after the name pfcg_mapping in which the output fields of the PFCG mapping are defined. These fields must be elements of the CDS entity mapping_entity specified after BETWEEN. The specified order is relevant.
A CDS entity mapping_entity specified after the keyword BETWEEN to define the fields used in the mapping. This definition specifies the input and output fields of the mapping.
An authorization object auth_object specified after the keyword AND. The PFCG mapping can be used in exactly those PFCG conditions in which this authorization object is specified after ASPECT pfcg_auth.
A comma-separated unordered list in curly brackets that associates the input fields input1, input2, ... of the mapping with authorization fields auth_field of the authorization object auth_object.
The input fields on the left sides must be elements of the CDS entity mapping_entity specified after BETWEEN.
Authorization fields of the authorization object auth_object must be specified on the right sides.
Any number of optional assignments can be flagged using the addition CONSTRAINT ID. A PFCG mapping can be used in a PFCG condition of the same authorization object. It is transformed to specific access conditions as follows when the condition is evaluated:
The values of the current user for the authorization fields assigned to the input fields fill the input fields of the mapping.
The output fields of the mapping are assigned to the elements within the curly brackets of the PFCG condition in the specified order.
The following applies to the input fields flagged with CONSTRAINT ID :
Only those authorization fields of the authorization object can be assigned that contain a single value in a specific authorization. Multiple values or patterns are not allowed (with the exception of full authorization using the value *). Otherwise the PFCG mapping in the PFCG condition returns the value false for the authorization in question.
Full authorization can be assigned only when applied to all input fields of the PFCG mapping.
If full authorization exists for all input fields of the PFCG mapping (value *), the PFCG mapping in the PFCG condition returns the value true when evaluated. This makes it possible to read entries of the protected entity for which there are no output fields in the mapping. BEGIN_SECTION VERSION 5 OUT
ABAP Addition
What does it do? To use a PFCG mapping in a PFCG condition where the authorization object is subject to the switchable authorization check, the PFCG mapping must also name the same scenario (as well as the same authorization object). For more information, see the PFCG condition of the statement DEFINE ROLE. END_SECTION VERSION 5 OUT
Latest notes: In AB-SQL access to a CDS entity assigned a role of this type, PFCG mappings are defined internally using a subquery after EXISTS. NON_V5_HINTS ABAP_HINT_END
ABAP_EXAMPLE_VX5 The following example shows the definition of a PFCG mapping demo_cds_auth_pfcg_mapping based on the CDS entity demo_cds_mapping_entity below. The output fields of the PFCG mapping are the authorization fields OBJECT, OBJ_NAME, and DEVCLASS of the authorization object S_DEVELOP. The input fields of the PFCG mapping are the elements of the CDS entity to which the output fields are assigned. The example that demonstrates how a PFCG mapping is specified in a role shows how the mapping is used.
