Technical Articles
SAP CPI – Access Policy to Protect Business Data
SAP Cloud Platform Integration(Neo) release 3.23.x adds a new feature called Access Policy to apply more granular access control in addition to the existing role-based access control (RBAC).
The current scope of Access Policy is limited to the protection of Business data (i.e. Message Content and attachments) collected during the execution of integration flows. Such business data are normally accessed by users as Message Processing Log Attachments and/or Trace Data.
In a future release, we can anticipate Access Policy to be extended for securing design artifacts and control access to Package / IFlow (!).
Why Access Policy? Is RBAC not Sufficient?
As you already know RBAC helps to manage who can access Cloud Application, what part of Application they can access (like Design, Monitor) and what task can they perform (like view, deploy, etc).
For Instance a user with role AuthGroup.IntegrationDeveloper can access web tooling of Cloud Integration and can Deploy and Monitor Integration Artifacts. Similarly a user with role AuthGroup.BusinessExpert can Monitor integration flows and Read message payload and attachments.
So the Application Role control what task a user can perform on all artifacts and data. Access Policy will enable us to additionally protect a subset of artifacts and data.
Use of Access Policy for Business Data
With role AuthGroup.BusinessExpert or esbmessagestorage.read assigned a user can read message payload(in trace mode) and attachments of any Integration Flow. However, when an Access Policy is defined to protect a specific Integration Flow or group of Integration flow, only the user with Access Policy associated Role assigned will have access to the Message Data. This will help protect sensitive or confidential data being read by anyone with just a monitoring role.
Let’s see in this blog on how to implement Access Policy to protect business data.
How to Implement Access Policy
Step – 2 : Assign User to Role
Assign the newly created Role to the intended user(s).
These are the user who will have access to view message data of interface protected by Access Policy defined in the next Step 4.
Step – 3 : Create Access Policy
Now open TMN Application and Navigate to Monitor –> Manage Security –> Access Policies
Click on + (Create New Access Policy) and Enter the Role Name created in Step – 1.
(Important: Role Name in Access Policy and TMN Application should match, this is how the Integration Artifacts attached to the Access Policy are controlled with the Custom Role)
Step – 4 : Add Artifacts to Access Policy
From Access Policy click on + (Add Artifact Reference)
And Add Integration Flow with ID or Name Value.
Testing
| User with Role | Access MPL Trace / Attachment – Result |
Case 1
|
IFlow Not in Access Policy IFlow in Access Policy |
Case 2
|
IFlow Not in Access Policy IFlow in Access Policy |
Case 3
|
IFlow Not in Access Policy Payload Trace Accessible  IFlow in Access Policy Payload Trace still not Accessible Attachment access Not Authorized  |
Case 4
|
IFlow Not in Access Policy Payload Trace Accessible IFlow in Access Policy Payload Trace Access authorized  Attachment Access authorized  |
Conclusion
Access Policy for Business Data protection help to implement a solution for securing payload from unauthorized access.
Hello Santhosh,
Thanks for sharing this!
Regards,
Fatih
Hi Santosh,
Is this available in cloud foundry as well?
thanks
Sakthi
Hello Santhosh ,
thanks for sharing!
You mentioned that these Access Policy functionality might be available in the future also for design artifacts e.g. packages.
Do you have any news if that has already been implemented , or is still in the roadmap?
Regards
Simon