{"id":7944,"date":"2025-10-31T23:12:02","date_gmt":"2025-10-31T17:42:02","guid":{"rendered":"https:\/\/www.sapewmhelp.com\/?question=what-are-dcls-in-cds"},"modified":"2025-10-31T23:12:02","modified_gmt":"2025-10-31T17:42:02","slug":"what-are-dcls-in-cds","status":"publish","type":"question","link":"https:\/\/www.sapewmhelp.com\/?question=what-are-dcls-in-cds","title":{"rendered":"What are DCLs in CDS?"},"content":{"rendered":"<p><strong>DCL (Data Control Language)<\/strong> in CDS is used to <strong>define and control data authorizations<\/strong> for CDS views.<br \/>In other words, it allows you to <strong>restrict access to specific data records<\/strong> based on user roles, so that users can only see data they are authorized to see.<\/p>\n<p>DCLs are written using the <strong><code>DEFINE ROLE<\/code><\/strong> syntax and stored as <strong>authorization objects<\/strong> in the ABAP Dictionary.<br \/>They work in combination with <strong>authorization checks<\/strong> performed automatically at runtime by the ABAP system \u2014 when the CDS view is queried through ABAP, OData, or analytical tools.<\/p>\n<p><strong>Purpose of DCL<\/strong><\/p>\n<ul>\n<li>\n<p>To <strong>control access<\/strong> to data at the CDS view level (not in ABAP code).<\/p>\n<\/li>\n<li>\n<p>To ensure <strong>data security<\/strong> and <strong>compliance<\/strong> with organizational policies.<\/p>\n<\/li>\n<li>\n<p>To <strong>centralize authorization logic<\/strong> so it\u2019s reusable and not hardcoded in multiple reports or services.<\/p>\n<\/li>\n<\/ul>\n<p>In simple terms:<\/p>\n<blockquote data-start=\"1081\" data-end=\"1136\">\n<p>DCL defines <em>who can access what data<\/em> in a CDS view.<\/p>\n<\/blockquote>\n<p><strong>How DCL Works<\/strong><\/p>\n<ol>\n<li>\n<p>A CDS view is defined with an authorization check annotation:<\/p>\n<div class=\"contain-inline-size rounded-2xl relative bg-token-sidebar-surface-primary\">\n<div class=\"sticky top-9\">\n<div class=\"absolute end-0 bottom-0 flex h-9 items-center pe-2\">\n<div class=\"bg-token-bg-elevated-secondary text-token-text-secondary flex items-center gap-4 rounded-sm px-2 font-sans text-xs\">@AccessControl.authorizationCheck: #CHECK<br \/>\ndefine view ZCDS_Employee as select from zemployee { &#8230; }<\/div>\n<div><\/div>\n<div class=\"bg-token-bg-elevated-secondary text-token-text-secondary flex items-center gap-4 rounded-sm px-2 font-sans text-xs\">2. A DCL (authorization rule) is created using <code>DEFINE ROLE<\/code>.<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>It specifies the conditions under which a user can access the data At runtime, when a user executes the CDS view (via report, OData, or Fiori app),<br \/>the system automatically filters data according to the DCL rule.<\/li>\n<\/ol>\n<p><strong>PFCG Authorization Object Link<\/strong><\/p>\n<p>The function <code>aspect pfcg_auth('AUTH_OBJECT', 'FIELD')<\/code> links the DCL to a PFCG (Profile Generator) authorization object.<br \/>This ensures integration between CDS-level security and SAP\u2019s standard role-based security.<\/p>\n<p>Example authorization object definition:<\/p>\n<ul>\n<li>\n<p>Authorization object: <code>ZEMP_AUTH_OBJ<\/code><\/p>\n<\/li>\n<li>\n<p>Field: <code>DEPT<\/code><\/p>\n<\/li>\n<li>\n<p>Values assigned in user role (e.g., user only has DEPT = \u2018HR\u2019)<\/p>\n<\/li>\n<\/ul>\n<p>Then when user runs the view:<\/p>\n<ul>\n<li>\n<p>They will only see rows where <code>department = 'HR'<\/code>.<\/p>\n<\/li>\n<\/ul>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","template":"","question-category":[173],"question_tags":[178,199,451,200,177],"class_list":["post-7944","question","type-question","status-publish","hentry","question-category-cdsviews","question_tags-abap","question_tags-cds","question_tags-dcl","question_tags-rap","question_tags-sap"],"_links":{"self":[{"href":"https:\/\/www.sapewmhelp.com\/index.php?rest_route=\/wp\/v2\/question\/7944","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sapewmhelp.com\/index.php?rest_route=\/wp\/v2\/question"}],"about":[{"href":"https:\/\/www.sapewmhelp.com\/index.php?rest_route=\/wp\/v2\/types\/question"}],"author":[{"embeddable":true,"href":"https:\/\/www.sapewmhelp.com\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sapewmhelp.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7944"}],"wp:attachment":[{"href":"https:\/\/www.sapewmhelp.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7944"}],"wp:term":[{"taxonomy":"question-category","embeddable":true,"href":"https:\/\/www.sapewmhelp.com\/index.php?rest_route=%2Fwp%2Fv2%2Fquestion-category&post=7944"},{"taxonomy":"question_tags","embeddable":true,"href":"https:\/\/www.sapewmhelp.com\/index.php?rest_route=%2Fwp%2Fv2%2Fquestion_tags&post=7944"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}