The recommended and standard approach for implementing row-level (instance-based) authorization for CDS views in the ABAP RESTful Application Programming Model (RAP) is to use Core Data Services (CDS) Access Control with Data Control Language (DCL). Creating a DEFINE ROLE artifact allows you to specify declarative authorization rules that are automatically enforced at the database level whenever the CDS view is accessed. This ensures that users only see the data (e.g., for specific company codes) they are authorized for, providing a secure, reusable, and performance-optimized solution that integrates with the standard SAP authorization concept (PFCG).

A. Add a WHERE sy-uname = ... filter in the projection view

This hardcodes authorization logic into the data model, making it inflexible and difficult to manage. It is not a role-based approach and violates the separation of concerns principle.

C. Put AUTHORITY-CHECK in the save method of the behavior implementation

This performs a check during the transactional save phase, not during data retrieval. It cannot prevent a user from viewing unauthorized data, which is the primary requirement.

D. Set @AccessControl.authorizationCheck: #NOTREQUIRED and filter at UI

This explicitly disables backend authorization checks and relies on insecure client-side filtering. All data would be sent from the server, creating a major security vulnerability and performance issue.

---

1. SAP Help Portal: ABAP RESTful Application Programming Model > Concepts > Authorization > Access Control.

This official documentation states

"Access control for the ABAP RESTful programming model is based on the data control language (DCL) of the ABAP Core Data Services (CDS)." It details the use of DEFINE ROLE to implement instance-based authorizations that are automatically evaluated during data access.

2. SAP Help Portal: ABAP Keyword Documentation > ABAP - Dictionary > ABAP CDS - DCL Statements > DEFINE ROLE.

Section: DEFINE ROLE describes the syntax for creating a CDS role. It explains that the WHERE condition in the access rule is "evaluated as an additional selection condition for every access to the CDS entity". This confirms that DCL provides the required row-level filtering at the database level.

3. openSAP Course: "Building Apps with the ABAP RESTful Application Programming Model"

Week 4

Unit 3: Adding Authorization Control. This unit explicitly teaches the creation of DCL files (DEFINE ROLE) as the standard method to add instance-based authorization to a RAP Business Object's data model

ensuring users can only see and edit data for which they have privileges.