zoukankan      html  css  js  c++  java
  • 教程:基于访问控制的ABAP CDS视图权限

    Hi!

    对每一个CDS视图,我们都可以通过DCL(Data Control Language)定义访问控制。在这篇文章中,我会介绍ABAP CDS视图中非常重要的一面:权限管理。

    本文的阐述基于我正在使用的S4/HANA 1610 on NW 7.51.

    内容分为五个部分:

    1. 标准示例的访问控制。
    2. 基于PFCG权限创建一个简单的例子。
    3. 带有CUBE数据类别的CDS分析视图。
    4. CDS分析查询视图的访问控制。
    5. 权限对象的并集(UNION)或者交集(INTERSECTION)。

    本文链接:http://www.cnblogs.com/hhelibeb/p/7427753.html

    1. 标准示例的访问控制例子

    1) 全访问示例(Full access

    DDL:

    @AbapCatalog.sqlViewName: 'DEMO_CDS_FULLACC'
    @AccessControl.authorizationCheck: #CHECK
    define view demo_cds_auth_fullaccess
      as select from
        scarr
        {
          key carrid,
              carrname,
              currcode,
              url
        };  

     DCL:

    @MappingRole: true
    define role demo_cds_role_fullaccess {
      grant select on demo_cds_auth_fullaccess; }

    2) 字面条件示例(Literal conditions

    DDL:

    @AbapCatalog.sqlViewName: 'DEMO_CDS_LITERAL'
    @AccessControl.authorizationCheck: #CHECK
    define view demo_cds_auth_literal
     as select from
     scarr
     {
     key carrid,
     carrname,
     currcode,
     url
     };

    DCL:

    @MappingRole: true
    define role demo_cds_role_literal {
      grant select on demo_cds_auth_literal
      where carrid = 'LH'; }

    3) PFCG权限示例

    DDL:

    @AbapCatalog.sqlViewName: 'DEMO_CDS_PFCG'
    @AccessControl.authorizationCheck: #CHECK
    define view demo_cds_auth_pfcg
     as select from
     scarr
     {
     key carrid,
     carrname,
     currcode,
     url
     }; 

    DCL:

    @MappingRole: true
    define role demo_cds_role_pfcg {
      grant select on demo_cds_auth_pfcg
      where (carrid) =
      aspect pfcg_auth (s_carrid, carrid, actvt='03'); }

     权限对象s_carrid可以在事务代码SU21中的BC_C object类下查到。

    4) 字面条件和PFCG权限结合示例

    DDL:

    @AbapCatalog.sqlViewName: 'DEMO_CDS_LITPFCG'
    @AccessControl.authorizationCheck: #CHECK
    define view demo_cds_auth_lit_pfcg
     as select from
     scarr
     {
     key carrid,
     carrname,
     currcode,
     url
     };    

    DCL:

    @MappingRole: true
    define role demo_cds_role_lit_pfcg {
      grant select on demo_cds_auth_lit_pfcg
      where (carrid) =
      aspect pfcg_auth (s_carrid, carrid, actvt='03') and
             currcode = 'EUR'; }

    5) 继承权限示例

    DDL:

    @AbapCatalog.sqlViewName: 'DEMO_CDS_INH'
    @AccessControl.authorizationCheck: #CHECK
    define view demo_cds_auth_inherited
      as select from
        demo_cds_auth_lit_pfcg
        {
          key carrid,
              carrname,
              currcode,
              url
        };  

    DCL:

    @MappingRole: true
    define role demo_cds_role_inherited {
      grant select on demo_cds_auth_inherited
                   inherit demo_cds_role_lit_pfcg or currcode = 'USD'; }

    在这个例子会显示USD和EUR类型货币的记录。

    6) 根据当前用户的权限控制示例

    DDL:

    @AbapCatalog.sqlViewName: 'DEMO_CDS_USR'
    @AccessControl.authorizationCheck: #CHECK
    define view demo_cds_auth_user
      as select from
        abdocmode
        {
          key uname,
          key langu,
              flag
        };  

    DCL:

    @MappingRole: true
    define role demo_cds_role_user { 
      grant select on demo_cds_auth_user
        where
          uname ?= aspect user; }

    2. 基于PFCG权限创建一个简单的例子

    复制以下代码,创建我们自己的CDS视图:

    @AbapCatalog.sqlViewName: 'ZDEMO_CDS_PFCG'
    @AccessControl.authorizationCheck: #CHECK
    @EndUserText.label: 'Demo access pfcg'
    define view Zdemo_Access_Pfcg as select from scarr
     {
     key carrid,
     carrname,
     currcode,
     url
     };   

    3,现在,如果在HANA Studio中打开数据预览,我们将可以看到所有记录。访问控制目前还不存在。

    2,在SU21创建我们自己的自定义权限对象:

    对于每个对象定义权限字段和活动字段,加入允许活动“03 显示”。在本示例中,我们要在ZS_CONNID中添加字段CARRID和CONNID。

    3,为ZS_CARRID创建数据控制。

    @MappingRole: true
    define role zdemo_access_pfcg {
      grant select on Zdemo_Access_Pfcg
      where (carrid) =
      aspect pfcg_auth (zs_carrid, carrid, actvt='03'); }

    4,在PFCG中创建一个新的角色,在这里添加刚刚创建的权限对象,定义用户应当看到的基于选择字段的数据。不要忘记生成配置。为我们的用户分配角色。

    在第一个示例中,我们只使用ZS_CARRID。在文章的后面,我们会用到其它的对象。

    5,回到HANA Studio来测试权限。打开我们的CDS视图的数据预览:

    现在我们只看到了定义好的航空公司(CARRID)字段的记录。

    注意:

    1. 如果在ABAP字典(SE11)中打开视图,结果会是全部数据记录。
    2. 如果在DDL中修改注解为如下内容,并激活CDS视图,我们将可以再次在数据预览中看到全部数据。这意味着检查已经关闭。
    @AccessControl.authorizationCheck: #NOT_ALLOWED 

    结论:在一个从数据库表中查询数据的简单例子中,我们看到了访问控制是如何工作的。下面讲讲CDS分析视图。

    3. 带有CUBE数据类别的CDS分析视图

    1,通过复制已有的内容创建我们自己的CDS视图。这是一个带有CUBE数据分类的CDS视图(译注:代码框出了点问题,大家凑合看下..):

    @AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ'                       // Name of the CDS database view in the ABAP Repository
    @AccessControl.authorizationCheck: #CHECK              // CDS authorizations, controls the authorization check. In S4H410 not required
    @EndUserText.label: 'Available Flights'                         // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service
    @VDM.viewType: #CONSUMPTION                                     // This is a CONSUMPTION view
    @Analytics.query: true                                          // By tagging the CDS view as an analytical query it will be exposed to the analytic manager
    @OData.publish: true                                            // Generates a suitable OData service, that will use the analytical query, when the CDS entity is activated
         
    define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport     // A analytical query CDS is implemented using a query select from CDS view Z00_I_FlightByAirport
                                                                                    // Take care with OData publishing the max. lenght is 26 characters
    {
        @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column Airline
        Z05_I_FlightByAirport.Airline,                              // Use the column Airline
        @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column FlightConnection
        Z05_I_FlightByAirport.FlightConnection,                     // Use the column FlightConnection
        @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column FlightDate
        Z05_I_FlightByAirport.FlightDate,                           // Use the column FlightDate
        @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false }  // Creates a mandatory filter on the values in the field AirportFrom
        @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column AirportFrom
        @EndUserText.label: 'Departure Airport'                     // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
        Z05_I_FlightByAirport.AirportFrom,                          // Use the column AirportFrom
        @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } //  Creates an optional filter on the values in the field AirportTo
        @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column AirportTo
        @EndUserText.label: 'Arrival Airport'                       // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo 
        Z05_I_FlightByAirport.AirportTo,                            // Use the column AirportTo                             
        Z05_I_FlightByAirport.Currency,                             // Use the column Currency  
        Z05_I_FlightByAirport.AircraftType,                         // Use the column AircraftType
        @AnalyticsDetails.query.axis: #COLUMNS                      // Defines the default row/colums apperance for the column FlightPrice
        Z05_I_FlightByAirport.FlightPrice,                          // Use the column FlightPrice
        Z05_I_FlightByAirport.MaximumNumberOfSeats,                 // Use the column MaximumNumberOfSeats
        Z05_I_FlightByAirport.NumberOfOccupiedSeats,                // Use the column NumberOfOccupiedSeats
        @DefaultAggregation: #FORMULA                               // Important to know for formular placement is evaluation time. Inside the final query, the evaluation is done after the flightbyairport
                                                                    // view aggragation, so it's not on a very detailed level or even row level, but at the aggragate level. This is important for avarages 
                                                                    // as they cannot be evaluated at the detail level 
        @EndUserText.label: 'Available Seats'
        @AnalyticsDetails.query.axis: #COLUMNS                      // Defines the default row/colums apperance for the column NumberOfAvailableSeats
        Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats  // this is a formular (calculated column) 
    } 

    2,在访问控制中进行定义:

    @EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
    @MappingRole: true
    define role Z05_ROLE {
        grant select on Z05_I_FlightByAirport
        where ( Airline ) = 
        aspect pfcg_auth (  ZS_CARRID,
                            CARRID,
                            actvt = '03' );
        
    }

    3,在文章的第2部分,我们在权限对象中添加了ZS_CARRID。在HANA Studio的数据预览中检查结果。行数是530.

    4,在事务代码RSRT中检查结果,行数也是530。结果相同。

    5,在BO Analysis for Excel中检查结果。结果是相同的,对用户而言,只有选中的航空公司可以被访问。

     

    注意:没有AF航空公司的业务数据,这是上面的屏幕未显示相关数据的原因。

    4. CDS分析查询视图的访问控制

    1,在第3部分的CUBE CDS中创建一个分析查询视图。

    @AbapCatalog.sqlViewName: 'Z05_CFLIGHTAQ'                       // Name of the CDS database view in the ABAP Repository
    @AccessControl.authorizationCheck: #CHECK              // CDS authorizations, controls the authorization check. In S4H410 not required
    @EndUserText.label: 'Available Flights'                         // Translatable short text. Max 60characters. Text label is exposed to Analytica tools and the OData service
    @VDM.viewType: #CONSUMPTION                                     // This is a CONSUMPTION view
    @Analytics.query: true                                          // By tagging the CDS view as an analytical query it will be exposed to the analytic manager
    @OData.publish: true                                            // Generates a suitable OData service, that will use the analytical query, when the CDS entity is activated
         
    define view Z05_C_FlightByAirportQuery as select from Z05_I_FlightByAirport     // A analytical query CDS is implemented using a query select from CDS view Z00_I_FlightByAirport
                                                                                    // Take care with OData publishing the max. lenght is 26 characters
    {
        @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column Airline
        Z05_I_FlightByAirport.Airline,                              // Use the column Airline
        @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column FlightConnection
        Z05_I_FlightByAirport.FlightConnection,                     // Use the column FlightConnection
        @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column FlightDate
        Z05_I_FlightByAirport.FlightDate,                           // Use the column FlightDate
        @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false }  // Creates a mandatory filter on the values in the field AirportFrom
        @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column AirportFrom
        @EndUserText.label: 'Departure Airport'                     // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo
        Z05_I_FlightByAirport.AirportFrom,                          // Use the column AirportFrom
        @Consumption.filter: {selectionType: #SINGLE, multipleSelections: false, mandatory: false } //  Creates an optional filter on the values in the field AirportTo
        @AnalyticsDetails.query.axis: #ROWS                         // Defines the default row/colums apperance for the column AirportTo
        @EndUserText.label: 'Arrival Airport'                       // Add an human readable enduser label to make sure that we can differentiate between AirportFrom and AirportTo 
        Z05_I_FlightByAirport.AirportTo,                            // Use the column AirportTo                             
        Z05_I_FlightByAirport.Currency,                             // Use the column Currency  
        Z05_I_FlightByAirport.AircraftType,                         // Use the column AircraftType
        @AnalyticsDetails.query.axis: #COLUMNS                      // Defines the default row/colums apperance for the column FlightPrice
        Z05_I_FlightByAirport.FlightPrice,                          // Use the column FlightPrice
        Z05_I_FlightByAirport.MaximumNumberOfSeats,                 // Use the column MaximumNumberOfSeats
        Z05_I_FlightByAirport.NumberOfOccupiedSeats,                // Use the column NumberOfOccupiedSeats
        @DefaultAggregation: #FORMULA                               // Important to know for formular placement is evaluation time. Inside the final query, the evaluation is done after the flightbyairport
                                                                    // view aggragation, so it's not on a very detailed level or even row level, but at the aggragate level. This is important for avarages 
                                                                    // as they cannot be evaluated at the detail level 
        @EndUserText.label: 'Available Seats'
        @AnalyticsDetails.query.axis: #COLUMNS                      // Defines the default row/colums apperance for the column NumberOfAvailableSeats
        Z05_I_FlightByAirport.MaximumNumberOfSeats - Z05_I_FlightByAirport.NumberOfOccupiedSeats as NumberOfAvailableSeats  // this is a formular (calculated column) 
    } 

    2,在HANA Studio中进行数据预览,行数还是4894。看起来CDS分析查询没有使用到Cube CDS视图权限,但是事实并非如此。你并不需要为分析查询CDS视图创建额外的访问控制。

    3,在Excel中检查RSRT或者BO分析的结果。结果表明Cube CDS视图的权限在分析查询中起到了作用。

    注意:在分析查询定义中不需要创建任何变量,就像我们在带有权限的BEx查询中那样。

    4,修改Cube CDS视图,添加权限对象ZS_CONNID而非ZS_CARRID

    @EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
    @MappingRole: true
    define role Z05_ROLE {
        grant select on Z05_I_FlightByAirport
         where ( FlightConnection) = aspect pfcg_auth (  ZS_CONNID,
                                                         CONNID,
                                                         actvt = '03' );
        
    }

    分析查询结果变得严格了(在第2部分的第4步可以看到ZS_CONNID的定义).

    现在结果的行数是212.

    5. 权限的并集(UNION)和交集(INTERSECTION)

    1,通过“AND”取权限的交集。这里定义了一个新的权限“ZS_FLDAT”,它只包含3天的范围(2015.02.04 - 2015.02.06)。修改DCL,增加交集:

    @EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
    @MappingRole: true
    define role Z05_ROLE {
        grant select on Z05_I_FlightByAirport
         where ( Airline) = 
                aspect pfcg_auth (  ZS_CARRID,
                                    CARRID,
                                    actvt = '03' ) AND
               (FlightDate ) = 
                aspect pfcg_auth (  ZS_FLDAT,
                                    FLTDATE,
                                    actvt = '03' );
        
    }

    2,通过“OR”取并集:

    @EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
    @MappingRole: true
    define role Z05_ROLE {
        grant select on Z05_I_FlightByAirport
         where ( Airline) = 
                aspect pfcg_auth (  ZS_CARRID,
                                    CARRID,
                                    actvt = '03' ) OR
               ( FlightDate ) = 
                aspect pfcg_auth (  ZS_FLDAT,
                                    FLTDATE,
                                    actvt = '03' );
        
    }

     3,如果在一个权限对象中添加这两个字段,那结果就类似于交集:

    @EndUserText.label: 'Role for Z05_I_FLIGHTBYAIRPORT'
    @MappingRole: true
    define role Z05_ROLE {
        grant select on Z05_I_FlightByAirport
         where ( Airline, FlightDate) = 
                aspect pfcg_auth (  ZS_NEW,
                                    CARRID,
                                    FLTDATE,
                                    actvt = '03' );

    注意:不要忘记在Cube CDS视图的层级定义权限,而非分析视图层级。如果你在分析查询层级定义了和第5部分相同的权限,那么:

    • 在SAP HANA Studio的数据预览中,结果看起来是对的。
    • 在RSRT, BO Analysis for Excel和其它使用了OLAP引擎的工具中,使用的是Cube CDS视图的权限(如有定义)。

    注意:在HANA Studio的数据预览中,分析查询的结果会全部展示。为了纠正这点,可以给分析查询创建以下访问控制:

    @MappingRole: true
    define role Z05_ROLE_2 {
      grant select on Z05_C_FlightByAirportQuery 
                   inherit Z05_ROLE; }

    结论:你可以为CDS分析视图定义权限的交集或者并集。

    本文结束,感谢关注!

    英文原文:ABAP CDS views with Authorization based on Access Control

     
  • 相关阅读:
    xdoj 1237 (贪心+逆向思维)
    linux系统 (实验一)实验楼的课程笔记
    fc_net.py cs231n
    cnn.py cs231n
    optim.py cs231n
    layers.py cs231n
    Python数据分析与展示[第一周]
    配置了两天python【python可以的】
    PYTHON网络爬虫与信息提取[scrapy框架应用](单元十、十一)
    PYTHON网络爬虫与信息提取[正则表达式的使用](单元七)
  • 原文地址:https://www.cnblogs.com/hhelibeb/p/7427753.html
Copyright © 2011-2022 走看看