This is a test message to test the length of the message box.
Login

Write a comment

Writing comments is only allowed to registered users, registration is free and does not require an email address and can be done quickly here.

access control without pfcg role

caius - 04/08/2025 - 23:25

Hello,

In a real life scenario, I don't see the reason why we should create an access control with a where clause "material like 'F%". Because it applies to all user.

You can put the "material like 'F%" into a where clause of a view.

Xexer - 04/09/2025 - 07:22

Hello caius, in Part 1 we used a normal PFCG object. In real world you can use it an a Consumption View to hide data in a specific app. When you have two apps on the same RAP and data, one should show the draft and one the completed.

Greetings Björn


Authz. for Authz. Bypass & CDS Layering/VDM

wridgeu - 03/16/2025 - 09:38

Hey there, great blog post as usual!

I was wondering if you know about any additional restrictions for developers or techn. users when it comes to the use of "WITH PRIVILEGED ACCESS". As in: "sure the developers can bypass it but are they allowed to?". Some sort of additional role/restriction for the usage of the keyword? Maybe I just find it too "insecure" myself while it actually is not.

When it comes to the CDS layering or rather naming of the VDM I am interested in what the other layers would be called in this scenario. I'm used to (and you also very well explained it here: https://software-heroes.com/en/blog/abap-cds-virtual-data-model) having the interface layer on the root and not a "base" layer on which an interface layer is built on top. Is it purely "naming" or would you have additional layers in this scenario based on use-case? I.e.: Base → Interface → ... → Projection/Consumption instead of just Interface → Projection/Consumption (leaving out any compositions).

BR, Marco

Xexer - 03/16/2025 - 13:54

Hi Marco, there is actual no restriction, when using WITH PRIVILEGED ACCESS. Sure, you should have the rights to change ABAP Code or use the SQL Console to do this. But when you think about it, it's also possible to read data directly from the table without access control and the most companies haven't a S_TABU_NAM restriction for developers.

The VDM enhanced a bit, since I wrote the article. I would divide it into three scenarios: VDM, RAP and Hybrid.

VDM Base > Interface > (Composite) > Consumption RAP: Interface > Consumption/Projection

The hybrid takes elements of both. We build the base views without associations (only if needed) and on top of the table. The idea is, to change this base layer in the future with Table Entities and than get rid of DDIC tables.

Greetings Björn