Beginning with ABAP 7.40 SP10, the CDS DCL can be used to define authorizations based on CDS views in a declarative way. A new type of ABAP repository object, DCL source, is introduced for this purpose. Each such Access Control object allows declaring, that is modeling, a role based on a related CDS entity. Conditions specify how the user’s permissions are checked against field values of the individual records at runtime, and directly on the database level.

Access Conditions in DCL Sources

The following two types of conditions can be used in a role definition:

1. Literal Conditions To compare an element of the CDS view with a literal value
2. Aspect Conditions Only one aspect, pfcg_auth, is supported. This aspect allows the reuse of authorizations, based on classical authorization objects and PFCG roles. The left-hand side of a PCFG condition contains the list of view fields in parentheses. The list on the right-hand side begins with the name of the authorization object.

Annotations Related to DCL Sources

In a DCL source itself, annotation @MappingRule specifies that the role is automatically and implicitly assigned to all users. Only the value ‘true’ is supported as of now.

In a DDL source, that is in a CDS view definition, the annotation @AccessControl.authorizationCheck specifies if a corresponding DCL role should be defined and if the access conditions should be checked automatically at runtime. The following values are supported for the annotation:

• CHECK
• NOT_REQUIRED
• NOT_ALLOWED