Preventing Unauthorized Access to Data

Question 1

What is the purpose of authorization objects and fields in ABAP?

Answer 1

They protect data from unauthorized access, ensuring only authorized users can perform certain actions. Write access is controlled by AUTHORITY-CHECK in ABAP, and read access by CDS access controls.

Question 2

What are authorization objects and how are they structured?

Answer 2

Authorization objects group up to ten related authorization fields, checked together. Each field is typed with a data element connecting it to the protected data.

Question 3

How do you determine if you need to create a new authorization object or use an existing one?

Answer 3

If your data connects to existing models, search for existing authorization objects using the where-used list for your data elements.

Question 4

What steps are involved in creating a new authorization field?

Answer 4

Define a unique name (max 10 characters).

Specify an existing data element.

Optionally, specify a check table with allowed values.

Question 5

What should you do if a newly created authorization field is not yet used?

Answer 5

Address the warning by adding the field to an existing authorization object or creating a new one using the quick fixes provided.

Question 6

How do you create a new authorization object?

Answer 6

Provide a unique name and description (max 10 characters).

Assign an object class (CPAE on SAP BTP, ABAP Environment).

Include and adjust the ACTVT field for various operations.

Add additional authorization fields as needed.

Question 7

Do authorization fields and objects need to be activated?

Answer 7

No, they only need to be saved.

Question 8

What are CDS access controls?

Answer 8

CDS access controls filter data sets based on authorizations when CDS entities are accessed directly from ABAP code. They are defined using the keyword DEFINE ROLE.

Question 9

How are CDS roles related to CDS entities?

Answer 9

The GRANT SELECT ON keyword within a CDS role links the role to a CDS entity, and access conditions are defined using the WHERE clause.

Question 10

When do CDS access controls take effect?

Answer 10

They take effect when the CDS entity is accessed directly from ABAP code. They are ignored if accessed indirectly through another CDS entity.

Question 11

What are the main types of access conditions in CDS access controls?

Answer 11

Literal Conditions: Compare an element of a CDS entity with a fixed value.

PFCG Conditions: Link elements of a CDS entity with authorizations based on SAP authorization objects.

Inheritance Conditions: Apply conditions from another CDS role, typically used for CDS views reading from other CDS entities.

Question 12

Can you give an example for the three access conditions (literal/PFCG/Inheritance)?

Answer 12

Question 13

What are PFCG conditions?

Answer 13

PFCG conditions link view elements to authorizations in the user’s master data, often based on authorization objects.

Question 14

How do inheritance conditions work?

Answer 14

Inheritance conditions apply access conditions from another CDS role, useful for views that read from other CDS entities.

Question 15

What is a typical use case for CDS access controls?

Answer 15

To ensure that only authorized users can view certain data sets, such as allowing users to see only their created data or data from specific departments.

Question 16

What is the recommended naming convention for CDS access controls and their protected entities?

Answer 16

It is strongly recommended that the access control and the protected entity have the same name for consistency and ease of identification.

Question 16

What is the effect of the #NOT_ALLOWED value in the @AccessControl.authorization annotation?

Answer 16

When @AccessControl.authorization is set to #NOT_ALLOWED, no access control is performed on the CDS view. If a role is assigned, it triggers a syntax warning, and the access control is ignored at runtime.

Question 17

How do you access ABAP system fields in CDS access controls?

Answer 17

To access ABAP system fields in CDS access controls, define input parameters with types matching the system fields and use the @Environment.systemField annotation. This allows the ABAP runtime to automatically supply the parameter with the corresponding system field value if no other value is provided by the user.

Question 17

What annotation is used to control the existence of access controls for a CDS view, and what are the possible values?

Answer 17

NOT_REQUIRED: Access control is evaluated at runtime if it exists; no syntax check.

The annotation @AccessControl.authorization is used to control the existence of access controls for a CDS view. Possible values include:

Question 18

What is the purpose of append structures in ABAP?

Answer 18

Append structures allow you to add fields to a database table without changing the original table definition in the ABAP dictionary. They are used to enhance standard tables provided by SAP or other software providers without modifying the original table.

Question 19

How does an append structure relate to a database table?

Answer 19

An append structure is linked to a database table definition and defines additional fields for that table. When the append structure is activated, its fields are added to the table on the database.

Question 20

Can a database table have multiple append structures?

Answer 20

Yes, a database table can have multiple append structures. Each append structure adds its own set of fields to the table.

Question 21

What naming convention is recommended for fields in append structures?

Answer 21

Fields in append structures should start with “ZZ” or “YY” to indicate they are in the customer namespace. This helps avoid conflicts with fields added by SAP in future releases.

Question 22

How does SAP ensure that fields in the customer namespace do not conflict with fields in future releases?

Answer 22

SAP guarantees that tables shipped by SAP will never contain fields in the customer namespace (fields starting with “ZZ” or “YY”), thus preventing conflicts.

Question 23

What happens to the append structure if the software provider updates the database table with new fields?

Answer 23

During an upgrade, new fields added by the software provider are incorporated into the database table using the ALTER TABLE statement. The sequence of fields in the database and the dictionary may differ, but this does not affect the ABAP environment.

Question 24

How can extensibility of dictionary objects be controlled?

Answer 24

Extensibility can be controlled using the @ABAPCatalog.enhancement annotation with the following subannotations:

category: Defines the type of enhancement allowed.

fieldSuffix: Specifies a suffix to avoid naming conflicts.

quotaMaximumFields: Limits the number of fields that can be appended.

quotaMaximumBytes: Limits the byte capacity that can be appended.

quotaShareCustomer and quotaSharePartner: Assign percentages of the defined field count and byte capacity to customer and partner extensions.

Question 25

What are extension includes and why are they used?

Answer 25

Extension includes are structure types included in multiple database table definitions. They allow consistent addition of fields to multiple tables and enable the software provider to control extensibility by releasing only the extension include rather than the entire table.

Question 26

What is the benefit of using an extension include for append structures?

Answer 26

Using an extension include allows fields to be added consistently to multiple database tables. It also provides control to the software provider, enabling them to release only the extension include, not the full table definition, ensuring controlled and consistent extensibility.

Question 27

What is the purpose of CDS view extensions?

Answer 27

CDS view extensions allow customers or partners to add fields or associations to an existing CDS view entity without modifying the original view definition.

Question 28

Can a CDS view entity have multiple extensions?

Answer 28

Yes, an existing CDS view can have one or more CDS view extensions.

Question 29

How does extensibility control for CDS entities differ from that for dictionary objects?

Answer 29

While the annotations and their meanings are similar, CDS entities use @ABAPCatalog.extensibility, and there is a true/false annotation to allow or disallow extensibility. Additionally, CDS entities can specify allowNewDatasources and dataSources to control from where extensions can read their data.

Question 30

What are extension includes, and how are they used in CDS view extensions?

Answer 30

Extension includes are special CDS view entities, often identifiable by the prefix “E_”. They are used in association with standard CDS view entities (e.g., those with prefix “R_”) to enforce structured extensions. The main view restricts extensibility to elements of the association to the E-view.

Question 31

What are metadata extensions, and when are they used?

Answer 31

Metadata extensions are used to add or overwrite annotations on existing elements of a CDS entity. They begin with the keyword ANNOTATE VIEW and allow modifications like adding UI-related annotations without altering the main view definition.

Question 32

What is the @Metadata.layer annotation used for?

Answer 32

The @Metadata.layer annotation is used to specify the priority of the metadata extension. It ensures that conflicting annotations are resolved based on the layer priority.

Question 33

What layers are available for metadata extensions and their priorities?

Answer 33

CUSTOMER: Highest priority, overwrites all other layers.

Question 34

What restrictions apply to metadata extensions?

Answer 34

You cannot define new elements; only existing elements can be annotated.

Not all annotations are supported; mostly those related to UI, analytics, and search functionality are allowed.

The target entity must have @Metadata.allowExtensions: true.

Question 35

You want to extend a dictionary database table with a field ZZMYFIELD. The dictionary database table definition contains annotation @ABAPCatalog.enhancement.category. For which of the following annotation values can field ZZMYFIELD have built-in type INT4?

A
#EXTENSIBLE_CHARACTER

B
#EXTENSIBLE_CHARACTER_NUMERIC

C
#EXTENSIBLE_ANY

D
#NOT_EXTENSIBLE

Answer 35

C
#EXTENSIBLE_CHARACTER_NUMERIC

D
#EXTENSIBLE_ANY

You are right. INT4 is a numeric type. This requires enhancement category #EXTENSIBLE_ANY or at least enhancement category #EXTENSIBLE_CHARACTER_NUMERIC.

Question 36

All access conditions in CDS roles are based on user authorizations.

A
True

B
False

Answer 36

False

Correct. In addition to authorization-based conditions, CDS rules can also contain literal conditions.