Skip to content

[review] Security Guide #2321

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
renejeglinsky merged 24 commits into from
Feb 3, 2026
Merged

[review] Security Guide #2321

Changes from 1 commit
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
0440376
Example first
renejeglinsky Jan 16, 2026
af9c5d8
use standard link target and add link
renejeglinsky Jan 16, 2026
b4aa6e8
todo marker
renejeglinsky Jan 16, 2026
83ce6d5
move repeating information in details block
renejeglinsky Jan 16, 2026
f11482f
alice without password
renejeglinsky Jan 16, 2026
7973567
introduce do don't pattern, better texts for links
renejeglinsky Jan 16, 2026
abcf040
edit pitfalls section
renejeglinsky Jan 16, 2026
44a9aa4
add example for unsupported privileges
renejeglinsky Jan 16, 2026
68a8382
reduce text
renejeglinsky Jan 16, 2026
730c8d2
Merge branch 'main' into rjegl01/secReview
renejeglinsky Jan 19, 2026
766a6cb
ai review
renejeglinsky Jan 19, 2026
8034555
AI-supported review
renejeglinsky Jan 20, 2026
8c61d06
avoid sentences running over code blocks
renejeglinsky Jan 20, 2026
d357b84
Merge branch 'main' into rjegl01/secReview
renejeglinsky Jan 20, 2026
95a50af
fix
renejeglinsky Jan 20, 2026
93f48d1
Merge branch 'main' into rjegl01/secReview
renejeglinsky Jan 26, 2026
4ea3476
edit
renejeglinsky Jan 28, 2026
ba8869d
Apply suggestion from @PDT42
renejeglinsky Feb 3, 2026
147d662
Update authentication.md
renejeglinsky Feb 3, 2026
f9ea6a2
Apply suggestions from code review
renejeglinsky Feb 3, 2026
054112e
Update authorization.md to remove unsupported examples
renejeglinsky Feb 3, 2026
ba311b2
Merge branch 'main' into rjegl01/secReview
renejeglinsky Feb 3, 2026
9f83cc7
Apply suggestion from @renejeglinsky
renejeglinsky Feb 3, 2026
b12db4a
Merge branch 'main' into rjegl01/secReview
renejeglinsky Feb 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 19 additions & 19 deletions guides/security/authorization.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -413,7 +413,25 @@ The [restrict annotation](#restrict-annotation) for an entity allows you to enfo
In addition, you can define a `where`-condition that further limits the set of accessible instances.
This condition, which acts like a filter, establishes *instance-based authorization*.

### Filter Conditions { #filter-consitions }
### Filter Conditions

For instance, a user is allowed to read or edit `Orders` (defined with the `managed` aspect) that they have created:
Comment thread
renejeglinsky marked this conversation as resolved.

```cds
annotate Orders with @(restrict: [
{ grant: ['READ', 'UPDATE', 'DELETE'], where: (CreatedBy = $user) } ]);
```

Or a `Vendor` can only edit articles on stock (that means `Articles.stock` positive):

```cds
annotate Articles with @(restrict: [
{ grant: ['UPDATE'], to: 'Vendor', where: (stock > 0) } ]);
```

::: tip
Filter conditions declared as **compiler expressions** ensure validity at compile time and therefore strengthen security.
:::

The condition defined in the `where` clause typically associates domain data with static [user claims](cap-users#claims).
Basically, it *either filters the result set in queries or accepts only write operations on instances that meet the condition*.
Expand Down Expand Up @@ -444,24 +462,6 @@ You can define filter conditions in the `where`-clause of restrictions based on
</div>


For instance, a user is allowed to read or edit `Orders` (defined with the `managed` aspect) that they have created:

```cds
annotate Orders with @(restrict: [
{ grant: ['READ', 'UPDATE', 'DELETE'], where: (CreatedBy = $user) } ]);
```

Or a `Vendor` can only edit articles on stock (that means `Articles.stock` positive):

```cds
annotate Articles with @(restrict: [
{ grant: ['UPDATE'], to: 'Vendor', where: (stock > 0) } ]);
```

::: tip
Filter conditions declared as **compiler expressions** ensure validity at compile time and therefore strengthen security.
:::

At runtime you'll find filter predicates attached to the appropriate CQN queries matching the instance-based condition.

:::warning Modification of Statements
Expand Down
Loading