SAP NEWS-785-CDS ACCESS CONTROL

Get Example source ABAP code based on a different SAP table
  SAP Help

ABAP_CDS Access Control in ABAP Release 7.85
ITOC

ABAP_MODIFICATION_NN Graceful Behavior in Access Condition Inheritance for Missing Dictionary Elements

From this release on, authors of access controls can mark a subset of the CDS elements used in their access conditions as optional, so that CDS entities which inherit their access conditions are not affected by a <(>Day-1-impact<)> any more. GRANT SELECT ON cds_entity WITH OPTIONAL ELEMENTS (
element1 DEFAULT (TRUE|FALSE), ...) WHERE ...
More Information

ABAP_MODIFICATION_NN Unified Syntax for Authorization Objects, Authorization Fields and SACF Scenario Names

At all locations of access controls, references to authorization objects, authorization fields, and SACF scenario names can be written in identifier syntax when they comply with it and in string syntax with single apostrophes as an alternative.
Before: ( ... ) = ASPECT PFCG_AUTH( S_OBJ IN SCENARIO 'THESCENARIO' )
Now allowed: ( ... ) = ASPECT PFCG_AUTH( S_OBJ IN SCENARIO TheScenario )
More Information

ABAP_MODIFICATION_NN Additional Filtering of User-Defined Aspect Usage

When using user-defined aspects, these can now denominate an arbitrary set of their elements (path expressions are supported) as filter element. These filter elements can by referenced when using the user-defined aspect in an access condition. DEFINE ASPECT ... AS SELECT FROM ...
WITH USER ELEMENT ...
WITH FILTER ELEMENTS ( element1, element2 AS alias2 )
{
...
}
WHERE ( ... ) = ASPECT ... FILTER BY ( element1 = 'X' OR
alias2 IS NOT NULL )
More Information

ABAP_MODIFICATION_NN Condition Replacement for Role-Based Inheritance

The REPLACING section formerly only available to entity-based inheritance INHERITING CONDITIONS FROM ENTITY cds_entity
is now also available for role-based inheritance INHERIT role FOR GRANT SELECT ON cds_entity
More Information

ABAP_MODIFICATION_NN Generic Element Replacement for Condition Inheritance

The REPLACING section of condition inheritance now supports a generic replacement step to replace an arbitrary field or association of the inheritance source with an arbitrary field or association of the inheritance target. WHERE INHERITING CONDITIONS FROM ENTITY Source REPLACING {
ELEMENT Element1OfSource WITH Element1OfTarget,
ELEMENT Assoc1OfSource WITH Assoc1[r = 4].Assoc2OfTarget,
ELEMENT Assoc2(p : $parameters.p1)[ q = 1].Field WITH MyShortField }
More Information

ABAP_MODIFICATION_NN Enabling/Disabling of Access Conditions Based on the State of SACF

Respecting settings in the switchable authorization framework (SACF) was already possible for dedicated PFCG conditions: ASPECT PFCG_AUTH ( S_OBJECT IN SCENARIO ... )
Now, those settings can be used to enable or disable entire condition sets: GRANT SELECT ON cds_entity
WHERE
SACF_CHECK_IN_USE (NAME => NEW_AUTH_SWITCH ) IS INITIAL
AND
( element ) = ASPECT PFCG_AUTH( OLD_AUTH, F )
OR
SACF_CHECK_IN_USE( NAME => NEW_AUTH_SWITCH ) IS NOT INITIAL
AND
( element ) = ASPECT PFCG_AUTH( NEW_AUTH, F );
More Information

ABAP_MODIFICATION_NN Access Conditions for CDS Hierarchies Based on Elements of the Hierarchy Directory

For CDS hierarchies, access control was restricted to the use of conditions not resulting in database filtering. Now elements located in the declared hierarchy directory ABAP Addition FILTER BY
can be used to formulate such conditions.

ABAP_MODIFICATION_NN Consideration of Special Runtime Modes

When operating the system with the emergency user SAP*, CDS access control is now deactivated.
During processing of an update task, PFCG conditions are now considered as fully authorized.
More Information

ABAP_MODIFICATION_NN New DCL Function

The following new DCL function is available: OPTIONAL_ELEMENT_EXISTS .