Hi!
对每一个CDS视图,我们都可以通过DCL(Data Control Language)定义访问控制。在这篇文章中,我会介绍ABAP CDS视图中非常重要的一面:权限管理。
本文的阐述基于我正在使用的S4/HANA 1610 on NW 7.51.
内容分为五个部分:
- 标准示例的访问控制。
- 基于PFCG权限创建一个简单的例子。
- 带有CUBE数据类别的CDS分析视图。
- CDS分析查询视图的访问控制。
- 权限对象的并集(UNION)或者交集(INTERSECTION)。
本文链接:http://www.cnblogs.com/hhelibeb/p/7427753.html
1. 标准示例的访问控制例子
1) 全访问示例(Full access)
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_FULLACC'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_fullaccess
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};
DCL:
@MappingRole: true
define role demo_cds_role_fullaccess {
grant select on demo_cds_auth_fullaccess; }
2) 字面条件示例(Literal conditions)
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITERAL'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_literal
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};
DCL:
@MappingRole: true
define role demo_cds_role_literal {
grant select on demo_cds_auth_literal
where carrid = 'LH'; }
3) PFCG权限示例
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_pfcg
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};
DCL:
@MappingRole: true
define role demo_cds_role_pfcg {
grant select on demo_cds_auth_pfcg
where (carrid) =
aspect pfcg_auth (s_carrid, carrid, actvt=''); }
权限对象s_carrid可以在事务代码SU21中的BC_C object类下查到。
4) 字面条件和PFCG权限结合示例
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_LITPFCG'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_lit_pfcg
as select from
scarr
{
key carrid,
carrname,
currcode,
url
};
DCL:
@MappingRole: true
define role demo_cds_role_lit_pfcg {
grant select on demo_cds_auth_lit_pfcg
where (carrid) =
aspect pfcg_auth (s_carrid, carrid, actvt='') and
currcode = 'EUR'; }
5) 继承权限示例
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_INH'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_inherited
as select from
demo_cds_auth_lit_pfcg
{
key carrid,
carrname,
currcode,
url
};
DCL:
@MappingRole: true
define role demo_cds_role_inherited {
grant select on demo_cds_auth_inherited
inherit demo_cds_role_lit_pfcg or currcode = 'USD'; }
在这个例子会显示USD和EUR类型货币的记录。
6) 根据当前用户的权限控制示例
DDL:
@AbapCatalog.sqlViewName: 'DEMO_CDS_USR'
@AccessControl.authorizationCheck: #CHECK
define view demo_cds_auth_user
as select from
abdocmode
{
key uname,
key langu,
flag
};
DCL:
@MappingRole: true
define role demo_cds_role_user {
grant select on demo_cds_auth_user
where
uname ?= aspect user; }
2. 基于PFCG权限创建一个简单的例子
复制以下代码,创建我们自己的CDS视图:
@AbapCatalog.sqlViewName: 'ZDEMO_CDS_PFCG'
@AccessControl.authorizationCheck: #CHECK
@EndUserText.label: 'Demo access pfcg'
define view Zdemo_Access_Pfcg as select from scarr
{
key carrid,
carrname,
currcode,
url
};
3,现在,如果在HANA Studio中打开数据预览,我们将可以看到所有记录。访问控制目前还不存在。
2,在SU21创建我们自己的自定义权限对象:
对于每个对象定义权限字段和活动字段,加入允许活动“03 显示”。在本示例中,我们要在ZS_CONNID中添加字段CARRID和CONNID。
3,为ZS_CARRID创建数据控制。
@MappingRole: true
define role zdemo_access_pfcg {
grant select on Zdemo_Access_Pfcg
where (carrid) =
aspect pfcg_auth (zs_carrid, carrid, actvt=''); }
4,在PFCG中创建一个新的角色,在这里添加刚刚创建的权限对象,定义用户应当看到的基于选择字段的数据。不要忘记生成配置。为我们的用户分配角色。
在第一个示例中,我们只使用ZS_CARRID。在文章的后面,我们会用到其它的对象。
5,回到HANA Studio来测试权限。打开我们的CDS视图的数据预览:
现在我们只看到了定义好的航空公司(CARRID)字段的记录。
注意:
- 如果在ABAP字典(SE11)中打开视图,结果会是全部数据记录。
- 如果在DDL中修改注解为如下内容,并激活CDS视图,我们将可以再次在数据预览中看到全部数据。这意味着检查已经关闭。
@AccessControl.authorizationCheck: #NOT_ALLOWED
结论:在一个从数据库表中查询数据的简单例子中,我们看到了访问控制是如何工作的。下面讲讲CDS分析视图。
3. 带有CUBE数据类别的CDS分析视图
1,通过复制已有的内容创建我们自己的CDS视图。这是一个带有CUBE数据分类的CDS视图(译注:代码框出了点问题,大家凑合看下..):
@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ' // Name of the CDS database view in the ABAP Repository
@AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls the authorization check. In S4H410 not required
@EndUserText.label: 'Available Flights' // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service
@VDM.viewType: #CONSUMPTION // This is a CONSUMPTION view
@Analytics.query: true // By tagging the CDS view as an analytical query it will be exposed to the analytic manager
@OData.publish: true // Generates a suitable OData service, that will use the analytical query, when the CDS entity is activated define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport // A analytical query CDS is implemented using a query select from CDS view Z00_I_FlightByAirport
// Take care with OData publishing the max. lenght is 26 characters
{
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column Airline
Z05_I_FlightByAirport.Airline, // Use the column Airline
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightConnection
Z05_I_FlightByAirport.FlightConnection, // Use the column FlightConnection
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightDate
Z05_I_FlightByAirport.FlightDate, // Use the column FlightDate
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates a mandatory filter on the values in the field AirportFrom
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportFrom
@EndUserText.label: 'Departure Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportFrom, // Use the column AirportFrom
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates an optional filter on the values in the field AirportTo
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportTo
@EndUserText.label: 'Arrival Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportTo, // Use the column AirportTo
Z05_I_FlightByAirport.Currency, // Use the column Currency
Z05_I_FlightByAirport.AircraftType, // Use the column AircraftType
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column FlightPrice
Z05_I_FlightByAirport.FlightPrice, // Use the column FlightPrice
Z05_I_FlightByAirport.MaximumNumberOfSeats, // Use the column MaximumNumberOfSeats
Z05_I_FlightByAirport.NumberOfOccupiedSeats, // Use the column NumberOfOccupiedSeats
@DefaultAggregation: #FORMULA // Important to know for formular placement is evaluation time. Inside the final query, the evaluation is done after the flightbyairport
// view aggragation, so it's not on a very detailed level or even row level, but at the aggragate level. This is important for avarages
// as they cannot be evaluated at the detail level
@EndUserText.label: 'Available Seats'
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column NumberOfAvailableSeats
Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats // this is a formular (calculated column)
}
2,在访问控制中进行定义:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline ) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '' ); }
3,在文章的第2部分,我们在权限对象中添加了ZS_CARRID。在HANA Studio的数据预览中检查结果。行数是530.
4,在事务代码RSRT中检查结果,行数也是530。结果相同。
5,在BO Analysis for Excel中检查结果。结果是相同的,对用户而言,只有选中的航空公司可以被访问。
注意:没有AF航空公司的业务数据,这是上面的屏幕未显示相关数据的原因。
4. CDS分析查询视图的访问控制
1,在第3部分的CUBE CDS中创建一个分析查询视图。
@AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ' // Name of the CDS database view in the ABAP Repository
@AccessControl.authorizationCheck: #CHECK // CDS authorizations, controls the authorization check. In S4H410 not required
@EndUserText.label: 'Available Flights' // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service
@VDM.viewType: #CONSUMPTION // This is a CONSUMPTION view
@Analytics.query: true // By tagging the CDS view as an analytical query it will be exposed to the analytic manager
@OData.publish: true // Generates a suitable OData service, that will use the analytical query, when the CDS entity is activated define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport // A analytical query CDS is implemented using a query select from CDS view Z00_I_FlightByAirport
// Take care with OData publishing the max. lenght is 26 characters
{
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column Airline
Z05_I_FlightByAirport.Airline, // Use the column Airline
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightConnection
Z05_I_FlightByAirport.FlightConnection, // Use the column FlightConnection
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column FlightDate
Z05_I_FlightByAirport.FlightDate, // Use the column FlightDate
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates a mandatory filter on the values in the field AirportFrom
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportFrom
@EndUserText.label: 'Departure Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportFrom, // Use the column AirportFrom
@Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } // Creates an optional filter on the values in the field AirportTo
@AnalyticsDetails.query.axis: #ROWS // Defines the default row/colums apperance for the column AirportTo
@EndUserText.label: 'Arrival Airport' // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
Z05_I_FlightByAirport.AirportTo, // Use the column AirportTo
Z05_I_FlightByAirport.Currency, // Use the column Currency
Z05_I_FlightByAirport.AircraftType, // Use the column AircraftType
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column FlightPrice
Z05_I_FlightByAirport.FlightPrice, // Use the column FlightPrice
Z05_I_FlightByAirport.MaximumNumberOfSeats, // Use the column MaximumNumberOfSeats
Z05_I_FlightByAirport.NumberOfOccupiedSeats, // Use the column NumberOfOccupiedSeats
@DefaultAggregation: #FORMULA // Important to know for formular placement is evaluation time. Inside the final query, the evaluation is done after the flightbyairport
// view aggragation, so it's not on a very detailed level or even row level, but at the aggragate level. This is important for avarages
// as they cannot be evaluated at the detail level
@EndUserText.label: 'Available Seats'
@AnalyticsDetails.query.axis: #COLUMNS // Defines the default row/colums apperance for the column NumberOfAvailableSeats
Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats // this is a formular (calculated column)
}
2,在HANA Studio中进行数据预览,行数还是4894。看起来CDS分析查询没有使用到Cube CDS视图权限,但是事实并非如此。你并不需要为分析查询CDS视图创建额外的访问控制。
3,在Excel中检查RSRT或者BO分析的结果。结果表明Cube CDS视图的权限在分析查询中起到了作用。
注意:在分析查询定义中不需要创建任何变量,就像我们在带有权限的BEx查询中那样。
4,修改Cube CDS视图,添加权限对象ZS_CONNID而非ZS_CARRID。
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( FlightConnection) = aspect pfcg_auth ( ZS_CONNID,
CONNID,
actvt = '' ); }
分析查询结果变得严格了(在第2部分的第4步可以看到ZS_CONNID的定义).
现在结果的行数是212.
5. 权限的并集(UNION)和交集(INTERSECTION)
1,通过“AND”取权限的交集。这里定义了一个新的权限“ZS_FLDAT”,它只包含3天的范围(2015.02.04 - 2015.02.06)。修改DCL,增加交集:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '' ) AND
(FlightDate ) =
aspect pfcg_auth ( ZS_FLDAT,
FLTDATE,
actvt = '' ); }
2,通过“OR”取并集:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline) =
aspect pfcg_auth ( ZS_CARRID,
CARRID,
actvt = '' ) OR
( FlightDate ) =
aspect pfcg_auth ( ZS_FLDAT,
FLTDATE,
actvt = '' ); }
3,如果在一个权限对象中添加这两个字段,那结果就类似于交集:
@EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
@MappingRole: true
define role Z05_ROLE {
grant select on Z05_I_FlightByAirport
where ( Airline, FlightDate) =
aspect pfcg_auth ( ZS_NEW,
CARRID,
FLTDATE,
actvt = '' );
注意:不要忘记在Cube CDS视图的层级定义权限,而非分析视图层级。如果你在分析查询层级定义了和第5部分相同的权限,那么:
- 在SAP HANA Studio的数据预览中,结果看起来是对的。
- 在RSRT, BO Analysis for Excel和其它使用了OLAP引擎的工具中,使用的是Cube CDS视图的权限(如有定义)。
注意:在HANA Studio的数据预览中,分析查询的结果会全部展示。为了纠正这点,可以给分析查询创建以下访问控制:
@MappingRole: true
define role Z05_ROLE_2 {
grant select on Z05_C_FlightByAirportQuery
inherit Z05_ROLE; }
结论:你可以为CDS分析视图定义权限的交集或者并集。
本文结束,感谢关注!
英文原文:ABAP CDS views with Authorization based on Access Control