From 8bacb20c64ca082eca5fe0015966b459728b1fdd Mon Sep 17 00:00:00 2001 From: DJ Adams Date: Mon, 11 May 2026 14:59:37 +0100 Subject: [PATCH 1/3] Minor tweak to wording for auth "for some reason" is often interpreted negatively, and has the connotation of "randomly", "unexpectedly", "unwanted". So I changed the phrase to something that conveys something that is more deliberate and controlled. --- guides/security/authorization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authorization.md b/guides/security/authorization.md index 8fd1fc9f88..434c7b1c4d 100644 --- a/guides/security/authorization.md +++ b/guides/security/authorization.md @@ -96,7 +96,7 @@ service SomeService { #### Events to Auto-Exposed Entities { #events-and-auto-expose} -In general, entities can be exposed in services in different ways: they can be **explicitly exposed** by the modeler (for example, by a projection), or they can be [**auto-exposed**](../../cds/cdl#auto-exposed-entities) by the CDS compiler for some reason. +In general, entities can be exposed in services in different ways: they can be **explicitly exposed** by the modeler (for example, by a projection), or they can be [**auto-exposed**](../../cds/cdl#auto-exposed-entities) by the CDS compiler in certain circumstances. Access to auto-exposed entities needs to be controlled in a specific way. Consider the following example: ```cds From 8b4fead6349749a1818bf05e9aa2af58b612b2cc Mon Sep 17 00:00:00 2001 From: DJ Adams Date: Mon, 11 May 2026 15:55:56 +0100 Subject: [PATCH 2/3] fix hyperlink title ref Looks like the heading title changed, but this instance of a reference to it (Instance-based Access Control) wasn't updated. --- guides/security/authorization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authorization.md b/guides/security/authorization.md index 434c7b1c4d..e5529a57af 100644 --- a/guides/security/authorization.md +++ b/guides/security/authorization.md @@ -205,7 +205,7 @@ The following values are supported: - The `to` property lists all [user roles](cap-users#roles) or [pseudo roles](cap-users#pseudo-roles) that the privilege applies to. Note that the `any` pseudo-role applies for all users and is the default if no value is provided. -- The `where`-clause can contain a Boolean expression in [CQL](../../cds/cql)-syntax that filters the instances that the event applies to. As it allows user values (name, attributes, etc.) and entity data as input, it's suitable for *dynamic authorizations based on the business domain*. Supported expressions and typical use cases are presented in [instance-based authorization](#instance-based-auth). +- The `where`-clause can contain a Boolean expression in [CQL](../../cds/cql)-syntax that filters the instances that the event applies to. As it allows user values (name, attributes, etc.) and entity data as input, it's suitable for *dynamic authorizations based on the business domain*. Supported expressions and typical use cases are presented in [instance-based access control](#instance-based-auth). A privilege is met, if and only if **all properties are fulfilled** for the current request. In the following example, orders can only be read by an `Auditor` who meets `AuditBy` element of the instance: From e53c5ec9f8ed29b0ff339473783f01c2046fe9a1 Mon Sep 17 00:00:00 2001 From: DJ Adams Date: Mon, 11 May 2026 16:59:01 +0100 Subject: [PATCH 3/3] more accurate assessment of multi privilege example --- guides/security/authorization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authorization.md b/guides/security/authorization.md index e5529a57af..6b6d468cd4 100644 --- a/guides/security/authorization.md +++ b/guides/security/authorization.md @@ -245,7 +245,7 @@ entity Orders @(restrict: [ ]) {/*...*/} ``` -Here an `Auditor` user can read all orders with matching `country` or that they have created. +Here, users can read and write orders they've created, and `Auditor` users can read all orders with matching `country`. > Annotations such as @requires or @readonly are just convenience shortcuts for @restrict, for example: - `@requires: 'Viewer'` is equivalent to `@restrict: [{grant:'*', to: 'Viewer'}]`