Skip to Content
Technical Articles

SAP Cloud Foundry – Read user roles using NodeJS and XSJS (Part 1)

In this blog post we will read the roles created in previous blog. This blog explains how to assign the custom roles to a user, develop APIs for XSJS and NodeJS to read the roles assigned to a user.

In case of XSJS we have the $.session which gives a lot of information regarding the user, scopes assigned, etc.

$.session.user – Gives the user name who is calling the API
$.session.securityContext.scopes – Gives the list of scopes assigned to user

You can debug to find out more details about this. “openid” scope is assigned to all users by default.

The XSJS shows the scopes assigned using the $.session:

In case of NodeJS the request object gives the details about the user.
req.user.id – Gives username who is calling the API
req.authInfo.scopes – Gives the list of scopes assigned to user

We have devided the sections into 5 parts.
Part 1: Define the roles and scopes
Part 2: Assign roles to Role Collection
Part 3: Assign the Role Collection to user
Part 4: Implement NodeJS API for user roles
Part 5: Testing the User role API

Part 1: Define the roles and scopes

We will first create a xsuaa servcie and specify the roles and scopes. We have created a user and an admin role. We then bind this service to our NodeJS app if not already bound. I found out two ways to define the role. One is using the xs-security.json file in the WebIDE and add this to the xsuaa service in the mta.yaml file. On successful deployment the roles gets assigned to the bounded application. The other way is as mentioned below if the roles are not visible for your application which is still in the build stage and not yet deployed.

  1. On the SCP Cockpit select your application from the space, navigate to “Service Bindings” and select “Bind Service” choose xsuaa service
  2. Choose Plan as application.
  3. Copy the xs-security.json file contents/ specify your scope details.
    Copy the below contents:

    {
      "xsappname": "routingMTA",
      "tenant-mode": "dedicated",
      "description": "Security profile of called application",
      "scopes": [
        {
          "name": "uaa.user",
          "description": "UAA"
        },
        {
          "name": "$XSAPPNAME.USER",
          "description": "User role"
        },
        {
          "name": "$XSAPPNAME.ADMIN",
          "description": "Admin role"
        }
      ],
      "role-templates": [
        {
          "name": "Token_Exchange",
          "description": "UAA",
          "scope-references": [
            "uaa.user",
            "xs_authorization.read"
          ]
        },
        {
          "name": "READ_USER",
          "description": "Read user Role",
          "scope-references": [
            "uaa.user",
            "$XSAPPNAME.USER"
          ]
        },
        {
          "name": "ADMINISTRATOR",
          "description": "Admin Role",
          "scope-references": [
            "uaa.user",
            "$XSAPPNAME.ADMIN"
          ]
        }
      ]
    }​
  4.  On successful configuring the xsuaa you can see the roles in the Security tab:
  5. Click on “Show sensitive data” button.

    We get the client Id and secret code which we use later to authenticate our API calls:

We have successfully configured the roles and binded the UAA to our application. In next part we will look at how to assign these roles to a specified user.

 

Thanks,
Mayur

Be the first to leave a comment
You must be Logged on to comment or reply to a post.