主页 > 云储存 > > 正文

百度云_香港高防cdn_促销

来源:胜利云 发布时间:2021-09-01 09:56 标签:促销百度香港高防
浏览:

Imagine you have written a nice CDS view, e.g. as follows:

@AbapCatalog.sqlViewName: ‘Z_T100_SABDEMOS’

define view z_t100_sabapdemos

as select from t100

{ * }  where arbgb = ‘SABAPDEMOS’

It should select all messages for a distinct message class SABAPDEMOS from database table t100. And of course it does that, as the following code snippet proves:

SELECT *

FROM z_t100_sabapdemos

INTO TABLE @DATA(result).

cl_demo_output=>display( result ).

Now your’re happy and ship your view, but ….

… someday you get an error message from a target system that users do not see all languages any more:

… and some users do not see anything at all (sy-subrc = 4).

You logon to the system and examine the database access with SQL Trace (ST05) and find funny things:

"DCL restrictions" what’s that now???

You look at the properties of your view in that system and find in the Problems tab:

Uh-huh.

You find it in ADT:

@MappingRole: true

define role role_name {

grant select on z_t100_sabapdemos

where ( arbgb ) =  aspect pfcg_auth ( s_develop, objname,

objtype = ‘MSAG’,

actvt  = ’03’ )

and sprsl= ‘E’ ; }

What does that harmless looking code snippet do?

A CDS role adds an additional selection condition, a so called access condition, to a CDS view! If you access a CDS view that is mentioned in a role, Open SQL from ABAP 7.50 (and SADL Queries from ABAP 7.40, SP10) implicitly consider the access conditions defined in each role.

In our case:

Neat!

If you write a view, you must be aware that this can happen. If you don’t want any access restriction, you must decorate your view with the annotation AccessControl.authorizationCheck: #NOT_ALLOWED. Then and only then CDS roles are ignored.

But of course, CDS access control becomes part of your data modeling efforts from ABAP 7.50 on  …

For more information, see ABAP CDS – Access Control.

PS: The CDS roles supported by ABAP CDS up to now are implicitly assigned to each user, so to say. User specific CDS roles are principally possible but not supported yet (those would involve selfdefined aspects). Instead, PFCG conditions offer a new implicit access to classical authorizations.

_

Just out of curiosity, 1. Will we be able to see what access controls are defined for CDS view (e.g. Where-used function or simple navigation from the objects tree)?

2. Is the authorization check (pfcg_auth) done in DB level or translated to SQL statement before being sent to DB? (And can it be displayed directly in the trace?)

1. Up to now only in problems tab. But I guess there will be demand for more.

2. As far as I know a generated SQL statement is sent by DBI. The actual realization can be seen but is subject to change. It's not necessarily a simple WHERE but also access views can be generated.

Thanks.

1. Sounds like a legitimate request for me.

2. I would be happy to learn more about the internal mechanism.

1. Yes

2. Well, it's internal ...

2. Well, I've already said it's just out of curiosity

(In general, I do like to understand "how things work", even internally).

In case a new CDS view needs to be created from existing CDS view(s),  should we provide the access control for the new CDS view?

Yes, if you access a CDS entity in another one no access control is carried out. As a conequence wrapping one view in another one means to circumvent its access controls. You must create a role for the wrapping view too.

Hello Horst,

I have couple of doubts regarding DCL roles.

1. I created a DCL role as displayed below.

@EndUserText.label: 'role_label'

@MappingRole: true

define role zscarr_role {

grant select on Zscarr

where ( CARRID ) =

aspect pfcg_auth (  Z_CDS_MC,

carrid,

actvt = '03' );

}

Its working perfectly fine. In Authorization Object Z_CDS_MC i have Actvt 1 , 2 and 3 checked. What i analyzed is that it does not really matter what actvt i give in DCL Role. For Ex. I gave actvt ='03' in above Role but it always goes and check What activities are permitted in authorization Object. Just needed to understand why is actvt added as a part of above syntax??

2. The above role Only works if i try to access data from CDS Entity in Open SQL which is correct as well because all semantics are attached with CDS entity. Just needed to understand if in HANA Database level someone tries to access CDS SQL View which got generated automatically for CDS entity than how will authorization work? Do we need to provide separate authorization at HANA Level where we can only access CDS SQL View?

Hi Mohit,

1) I guess it works as documented. You say, you have all Actvts checked in the authorization object. The documentation says

It is merely a filter, which authorizations to check. If you specify actvt = '03'  (or another) those authorizations are checked, where these value are covered. See also the second bullet point in the example of the documentation.

2) For that the documentation says

and further

Of course, when you access the physical DB view with Native SQL, the DCL role is not considered at all.

Thank You very much Horst...

,大数据工具有哪些,中移物联网有限公司,云 服务器,西安大数据,企业信息化应用
发表评论
验证码: 点击我更换图片

注:网友评论仅供其表达个人看法,并不代表本站立场。

热门文章

  • 对象存储_网站集约化建设_哪家好
    对象存储_网站集约化建设_哪家好

    对象存储_网站集约化建设_哪家好

    当戴夫·麦克卢尔首次提出海盗指标的概念时,它震撼了创业界的核心。尽管你现在可能知道他是500家初创企业的幕后推手,但在贝宝(PayPal)上市前担任...

  • 数据库_数据库事务原理_安全稳定
    <strong>数据库_数据库事务原理_安全稳定</strong>

    数据库_数据库事务原理_安全稳定

    为CloudFlare客户提供对源站的免费和高性能加密2014年秋季,CloudFlare推出了Universal SSL,并将通过HTTPS访问的网站数量增加了一倍。在短短几天内,我们颁发了...

  • 百度云_企业邮箱怎么设置签名_排行榜
    百度云_企业邮箱怎么设置签名_排行榜

    百度云_企业邮箱怎么设置签名_排行榜

    在快节奏的销售世界里,时间是无价的。这正是为什么你需要停止切换标签,使用新的Pipedrive Chrome扩展直接从Gmail使用Pipedrive的强大功能。如果你是一个狂...

  • 游戏服务器_节点服务器_优惠
    <strong>游戏服务器_节点服务器_优惠</strong>

    游戏服务器_节点服务器_优惠

    nomad0.11为任务引入了生命周期部分,可以用来表示任务依赖关系。这可以用来表示任务组中任务之间的任务依赖关系,甚至可以利用consur来表示任务间的任...

  • 企业邮箱_华为云techwave_企业级
    <strong>企业邮箱_华为云techwave_企业级</strong>

    企业邮箱_华为云techwave_企业级

    遵守一套不断发展的数据隐私法规的需求可能看起来很繁重,或者会导致公司停滞不前,不知道下一步该采取什么措施。如果不了解这些法规对日常运营的...

云储存

更多 >
  • <strong>数据库_电脑怎么连接云服务器_代金券</strong>
    数据库_电脑怎么连接云服务器_代金券

    本周早些时候,我对拉尔夫·纳德(ralphnader)关于自动驾驶汽车的评论表示异议。纳德先生说,他们是下一个"高速公路上的危险"。他的立场是,无人驾驶...

  • <strong>香港带宽_青海企业网站建设_新注册优惠</strong>
    香港带宽_青海企业网站建设_新注册优惠

    如果你曾经住院过,你就会知道护理人员会定期到你的床边进行一系列常规观察——通常是每小时一次。这些通常包括测量和记录你的血压、体温、心率和...

云储存谷歌云_wps百度云_排行榜
云储存金山云_锁链战记数据库_限时特惠
云储存大带宽_云服务器建网站_年度促销
云储存数据库服务器_剑灵无法连接服务器_最新
云储存企业网站_数据库sql_优惠券