Preventing Unauthorized Access to Data Flashcards
What is the purpose of authorization objects and fields in ABAP?
They protect data from unauthorized access, ensuring only authorized users can perform certain actions. Write access is controlled by AUTHORITY-CHECK in ABAP, and read access by CDS access controls.
What are authorization objects and how are they structured?
Authorization objects group up to ten related authorization fields, checked together. Each field is typed with a data element connecting it to the protected data.
How do you determine if you need to create a new authorization object or use an existing one?
If your data connects to existing models, search for existing authorization objects using the where-used list for your data elements.
What steps are involved in creating a new authorization field?
Define a unique name (max 10 characters).
Specify an existing data element.
Optionally, specify a check table with allowed values.
What should you do if a newly created authorization field is not yet used?
Address the warning by adding the field to an existing authorization object or creating a new one using the quick fixes provided.
How do you create a new authorization object?
Provide a unique name and description (max 10 characters).
Assign an object class (CPAE on SAP BTP, ABAP Environment).
Include and adjust the ACTVT field for various operations.
Add additional authorization fields as needed.
Do authorization fields and objects need to be activated?
No, they only need to be saved.
What are CDS access controls?
CDS access controls filter data sets based on authorizations when CDS entities are accessed directly from ABAP code. They are defined using the keyword DEFINE ROLE.
How are CDS roles related to CDS entities?
The GRANT SELECT ON keyword within a CDS role links the role to a CDS entity, and access conditions are defined using the WHERE clause.
When do CDS access controls take effect?
They take effect when the CDS entity is accessed directly from ABAP code. They are ignored if accessed indirectly through another CDS entity.
What are the main types of access conditions in CDS access controls?
Literal Conditions: Compare an element of a CDS entity with a fixed value.
PFCG Conditions: Link elements of a CDS entity with authorizations based on SAP authorization objects.
Inheritance Conditions: Apply conditions from another CDS role, typically used for CDS views reading from other CDS entities.
Can you give an example for the three access conditions (literal/PFCG/Inheritance)?
What are PFCG conditions?
PFCG conditions link view elements to authorizations in the user’s master data, often based on authorization objects.
How do inheritance conditions work?
Inheritance conditions apply access conditions from another CDS role, useful for views that read from other CDS entities.
What is a typical use case for CDS access controls?
To ensure that only authorized users can view certain data sets, such as allowing users to see only their created data or data from specific departments.