Preventing Unauthorized Access to Data Flashcards

1
Q

What is the purpose of authorization objects and fields in ABAP?

A

They protect data from unauthorized access, ensuring only authorized users can perform certain actions. Write access is controlled by AUTHORITY-CHECK in ABAP, and read access by CDS access controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are authorization objects and how are they structured?

A

Authorization objects group up to ten related authorization fields, checked together. Each field is typed with a data element connecting it to the protected data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How do you determine if you need to create a new authorization object or use an existing one?

A

If your data connects to existing models, search for existing authorization objects using the where-used list for your data elements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What steps are involved in creating a new authorization field?

A

Define a unique name (max 10 characters).

Specify an existing data element.

Optionally, specify a check table with allowed values.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What should you do if a newly created authorization field is not yet used?

A

Address the warning by adding the field to an existing authorization object or creating a new one using the quick fixes provided.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How do you create a new authorization object?

A

Provide a unique name and description (max 10 characters).

Assign an object class (CPAE on SAP BTP, ABAP Environment).

Include and adjust the ACTVT field for various operations.

Add additional authorization fields as needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Do authorization fields and objects need to be activated?

A

No, they only need to be saved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are CDS access controls?

A

CDS access controls filter data sets based on authorizations when CDS entities are accessed directly from ABAP code. They are defined using the keyword DEFINE ROLE.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How are CDS roles related to CDS entities?

A

The GRANT SELECT ON keyword within a CDS role links the role to a CDS entity, and access conditions are defined using the WHERE clause.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When do CDS access controls take effect?

A

They take effect when the CDS entity is accessed directly from ABAP code. They are ignored if accessed indirectly through another CDS entity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the main types of access conditions in CDS access controls?

A

Literal Conditions: Compare an element of a CDS entity with a fixed value.

PFCG Conditions: Link elements of a CDS entity with authorizations based on SAP authorization objects.

Inheritance Conditions: Apply conditions from another CDS role, typically used for CDS views reading from other CDS entities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Can you give an example for the three access conditions (literal/PFCG/Inheritance)?

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are PFCG conditions?

A

PFCG conditions link view elements to authorizations in the user’s master data, often based on authorization objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How do inheritance conditions work?

A

Inheritance conditions apply access conditions from another CDS role, useful for views that read from other CDS entities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a typical use case for CDS access controls?

A

To ensure that only authorized users can view certain data sets, such as allowing users to see only their created data or data from specific departments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the recommended naming convention for CDS access controls and their protected entities?

A

It is strongly recommended that the access control and the protected entity have the same name for consistency and ease of identification.

16
Q

What is the effect of the #NOT_ALLOWED value in the @AccessControl.authorization annotation?

A

When @AccessControl.authorization is set to #NOT_ALLOWED, no access control is performed on the CDS view. If a role is assigned, it triggers a syntax warning, and the access control is ignored at runtime.

17
Q

How do you access ABAP system fields in CDS access controls?

A

To access ABAP system fields in CDS access controls, define input parameters with types matching the system fields and use the @Environment.systemField annotation. This allows the ABAP runtime to automatically supply the parameter with the corresponding system field value if no other value is provided by the user.

17
Q

What annotation is used to control the existence of access controls for a CDS view, and what are the possible values?

A

NOT_REQUIRED: Access control is evaluated at runtime if it exists; no syntax check.

The annotation @AccessControl.authorization is used to control the existence of access controls for a CDS view. Possible values include:

18
Q

What is the purpose of append structures in ABAP?

A

Append structures allow you to add fields to a database table without changing the original table definition in the ABAP dictionary. They are used to enhance standard tables provided by SAP or other software providers without modifying the original table.

19
Q

How does an append structure relate to a database table?

A

An append structure is linked to a database table definition and defines additional fields for that table. When the append structure is activated, its fields are added to the table on the database.

20
Q

Can a database table have multiple append structures?

A

Yes, a database table can have multiple append structures. Each append structure adds its own set of fields to the table.

21
Q

What naming convention is recommended for fields in append structures?

A

Fields in append structures should start with “ZZ” or “YY” to indicate they are in the customer namespace. This helps avoid conflicts with fields added by SAP in future releases.

22
Q

How does SAP ensure that fields in the customer namespace do not conflict with fields in future releases?

A

SAP guarantees that tables shipped by SAP will never contain fields in the customer namespace (fields starting with “ZZ” or “YY”), thus preventing conflicts.

23
Q

What happens to the append structure if the software provider updates the database table with new fields?

A

During an upgrade, new fields added by the software provider are incorporated into the database table using the ALTER TABLE statement. The sequence of fields in the database and the dictionary may differ, but this does not affect the ABAP environment.

24
Q

How can extensibility of dictionary objects be controlled?

A

Extensibility can be controlled using the @ABAPCatalog.enhancement annotation with the following subannotations:

category: Defines the type of enhancement allowed.

fieldSuffix: Specifies a suffix to avoid naming conflicts.

quotaMaximumFields: Limits the number of fields that can be appended.

quotaMaximumBytes: Limits the byte capacity that can be appended.

quotaShareCustomer and quotaSharePartner: Assign percentages of the defined field count and byte capacity to customer and partner extensions.

25
Q

What are extension includes and why are they used?

A

Extension includes are structure types included in multiple database table definitions. They allow consistent addition of fields to multiple tables and enable the software provider to control extensibility by releasing only the extension include rather than the entire table.

26
Q

What is the benefit of using an extension include for append structures?

A

Using an extension include allows fields to be added consistently to multiple database tables. It also provides control to the software provider, enabling them to release only the extension include, not the full table definition, ensuring controlled and consistent extensibility.

27
Q

What is the purpose of CDS view extensions?

A

CDS view extensions allow customers or partners to add fields or associations to an existing CDS view entity without modifying the original view definition.

28
Q

Can a CDS view entity have multiple extensions?

A

Yes, an existing CDS view can have one or more CDS view extensions.

29
Q

How does extensibility control for CDS entities differ from that for dictionary objects?

A

While the annotations and their meanings are similar, CDS entities use @ABAPCatalog.extensibility, and there is a true/false annotation to allow or disallow extensibility. Additionally, CDS entities can specify allowNewDatasources and dataSources to control from where extensions can read their data.

30
Q

What are extension includes, and how are they used in CDS view extensions?

A

Extension includes are special CDS view entities, often identifiable by the prefix “E_”. They are used in association with standard CDS view entities (e.g., those with prefix “R_”) to enforce structured extensions. The main view restricts extensibility to elements of the association to the E-view.

31
Q

What are metadata extensions, and when are they used?

A

Metadata extensions are used to add or overwrite annotations on existing elements of a CDS entity. They begin with the keyword ANNOTATE VIEW and allow modifications like adding UI-related annotations without altering the main view definition.

32
Q

What is the @Metadata.layer annotation used for?

A

The @Metadata.layer annotation is used to specify the priority of the metadata extension. It ensures that conflicting annotations are resolved based on the layer priority.

33
Q

What layers are available for metadata extensions and their priorities?

A

CUSTOMER: Highest priority, overwrites all other layers.

34
Q

What restrictions apply to metadata extensions?

A

You cannot define new elements; only existing elements can be annotated.

Not all annotations are supported; mostly those related to UI, analytics, and search functionality are allowed.

The target entity must have @Metadata.allowExtensions: true.

35
Q

You want to extend a dictionary database table with a field ZZMYFIELD. The dictionary database table definition contains annotation @ABAPCatalog.enhancement.category. For which of the following annotation values can field ZZMYFIELD have built-in type INT4?

A
#EXTENSIBLE_CHARACTER

B
#EXTENSIBLE_CHARACTER_NUMERIC

C
#EXTENSIBLE_ANY

D
#NOT_EXTENSIBLE

A

C
#EXTENSIBLE_CHARACTER_NUMERIC

D
#EXTENSIBLE_ANY

You are right. INT4 is a numeric type. This requires enhancement category #EXTENSIBLE_ANY or at least enhancement category #EXTENSIBLE_CHARACTER_NUMERIC.

36
Q

All access conditions in CDS roles are based on user authorizations.

A
True

B
False

A

False

Correct. In addition to authorization-based conditions, CDS rules can also contain literal conditions.

37
Q
A