In an Access Control Object, which clauses are used? Note: There are 3 correct answers to this question.

In an Access Control Object, which clauses are used? Note: There are 3 correct answers to this question.
A . Where (to specify the access conditions)
B . Crant (to identify the data source)
C . Return code (to assign the return code of the authority check)
D . Define role (to specify the role name)
E . Revoke (to remove access to the data source)

View Answer

Answer: A, D, E

Explanation:

An Access Control Object (ACO) is a CDS annotation that defines the access control rules for a CDS view entity. An ACO consists of one or more clauses that specify the role name, the data source, the access conditions, and the return code of the authority check12.

Some of the clauses that are used in an ACO are:

Where (to specify the access conditions): This clause is used to define the logical expression that

determines whether a user has access to the data source or not. The expression can use the fields of

the data source, the parameters of the CDS view entity, or the predefined variables $user and

$session. The expression can also use the functions check_authorization and check_role to perform

additional authority checks12.

Define role (to specify the role name): This clause is used to assign a name to the role that is defined by the ACO. The role name must be unique within the namespace of the CDS view entity and must not contain any special characters. The role name can be used to reference the ACO in other annotations, such as @AccessControl.authorizationCheck or @AccessControl.grant12.

Revoke (to remove access to the data source): This clause is used to explicitly deny access to the data source for a user who meets the conditions of the where clause. The revoke clause overrides any grant clause that might grant access to the same user. The revoke clause can be used to implement the principle of least privilege or to enforce data segregation12.

You cannot do any of the following:

Grant (to identify the data source): This is not a valid clause in an ACO. The grant clause is a separate annotation that is used to grant access to a CDS view entity or a data source for a user who has a specific role. The grant clause can reference an ACO by its role name to apply the access conditions defined by the ACO12.

Return code (to assign the return code of the authority check): This is not a valid clause in an ACO. The return code of the authority check is a predefined variable that is set by the system after performing the access control check. The return code can be used in the where clause of the ACO to specify different access conditions based on the outcome of the check12.

Reference: 1: Access Control Objects – ABAP Keyword Documentation – SAP Online Help 2: Access Control in Core Data Services (CDS) | SAP Help Portal