Securing your APIs using user roles driven by SAP Cloud Business Rules

Hi experts,

I started with my path with APIs, and I want to share my experience securing APIs using RBAC.

Before anything a few clarifications:

• APIM–>API Management
• ROPG–>Resource Owner Password Grant
• OIDC–>OpenID Connect
• RBAC–>Role Based Access Control
• SCBR–>SAP Cloud Business Rules

As you may know the users are assigned to roles in the Idp to restrict access , and APIs resources are assigned to scopes to restrict consumption, but these two concepts are not connected at all.

In complex scenarios you could need to secure APIs resources using user roles, and the main question here is “how to do it?”, my personal answer is using SCBR to translate User Roles to Allowed Scopes.

DEMO:

1. Idp: Okta to handle user authentication ( OIDC APIs ).
2. APIM:
   1. OAuth API:authenticate user, translate user roles to scopes & generate access tokens
   2. Secured API:verify token, and custom scopes
3. SCBP: handle the translation between user roles & custom scopes

-Okta user & roles:

-SAP Cloud Business Rules:

-OAuth API Policies:

1. Authenticate user in Idp using OIDC via ROPG
2. Get Groups from JWT
3. Generate request payload for SCBR
4. Get X-CSRF-Token for SCBR
5. Call to SCBR API to get the scopes
6. Parse the scopes
7. Generate token including allowed scopes

-Secured API resources:

BusinessPartnerSet resource:

ProductSet resource:

Policies in PreFlow:

1. Verify OAuth token & get custom scopes attached to it
2. Generate dynamic scope and validate it
3. Raise exception if the scope is not allowed

Testing

Let’s see it in action when the requested scope is not allowed to consume a resource

Debugging OAuth API:

SCBR request:

SCBR response:

Debuging secured API:

Verify Token Policy:

JS Policy:

Raise Exception Policy:

As you can see it is possible to handle scopes dynamically in your APIs using user roles.

Not forget be curious 😉

Kind Regards.

Max.