SAP SE
Association-based access control delegation

Abstract:

The present disclosure involves systems, software, and computer implemented methods for access control delegation. One example method includes identifying creation of a derived entity from an originating entity. A definition of the derived entity is modified to include an association to the originating entity. A derived access control definition is created based on an originating access control definition. Access control condition(s) in the derived access control definition are identified. Modified access control condition(s) are created by modifying column reference(s) to include a reference to the association to the originating entity. A query is received for the derived entity. A modified query is created by including, in the received query, the modified access control condition(s) and unfolding the association to the originating entity. The modified query is executed, including evaluation of the modified access control condition(s) to determine records of the derived entity that are accessible to a query user.