Skip to Content
Product Information

Securing your APIs using user roles driven by SAP Cloud Business Rules

Hi experts,

I started with my path with APIs, and I want to share my experience securing APIs using RBAC.

Before anything a few clarifications:

  • APIM–>API Management
  • ROPG–>Resource Owner Password Grant
  • OIDC–>OpenID Connect
  • RBAC–>Role Based Access Control
  • SCBR–>SAP Cloud Business Rules

As you may know the users are assigned to roles in the Idp to restrict access , and APIs resources are assigned to scopes to restrict consumption, but these two concepts are not connected at all.

In complex scenarios you could need to secure APIs resources using user roles, and the main question here is “how to do it?”, my personal answer is using SCBR to translate User Roles to Allowed Scopes.

DEMO:

  1. Idp: Okta to handle user authentication ( OIDC APIs ).
  2. APIM:
    1. OAuth API:authenticate user, translate user roles to scopes & generate access tokens
    2. Secured API:verify token, and custom scopes
  3. SCBP: handle the translation between user roles & custom scopes

-Okta user & roles:

 

-SAP Cloud Business Rules:

-OAuth API Policies:

  1. Authenticate user in Idp using OIDC via ROPG
  2. Get Groups from JWT
  3. Generate request payload for SCBR
  4. Get X-CSRF-Token for SCBR
  5. Call to SCBR API to get the scopes
  6. Parse the scopes
  7. Generate token including allowed scopes

-Secured API resources:

BusinessPartnerSet resource:

ProductSet resource:

Policies in PreFlow:

  1. Verify OAuth token & get custom scopes attached to it
  2. Generate dynamic scope and validate it
  3. Raise exception if the scope is not allowed

Testing

Let’s see it in action when the requested scope is not allowed to consume a resource

Debugging OAuth API:

SCBR request:

SCBR response:

Debuging secured API:

Verify Token Policy:

JS Policy:

Raise Exception Policy:

As you can see it is possible to handle scopes dynamically in your APIs using user roles.

Not forget be curious πŸ˜‰

Kind Regards.

Max.

 

2 Comments
You must be Logged on to comment or reply to a post.
  • Thanks Max,

    Very cool walk-through thank you for showcasing the art of the possible forΒ  role based access control!

    Any thoughts about writing out some more details for users who want to replicate such a scenario themselves? πŸ™‚

    Regards,
    Elijah

    • Hi Elijah,

      Not really, I need free time to do it, and I have in mind to write another blog related with this topic & Two way ssl, but again I have not too much free time these days, if you or someone else have any specific question let me know πŸ™‚

       

      Kind Regards.

      Max.