Skip to Content
Technical Articles

SAP CPI – Access Policy to Protect Business Data

SAP Cloud Platform Integration(Neo) release 3.23.x adds a new feature called Access Policy to apply more granular access control in addition to the existing role-based access control (RBAC).

The current scope of Access Policy is limited to the protection of Business data (i.e. Message Content and attachments) collected during the execution of integration flows. Such business data are normally accessed by users as Message Processing Log Attachments and/or Trace Data.

In a future release, we can anticipate Access Policy to be extended for securing design artifacts and control access to Package / IFlow (!).

Why Access Policy? Is RBAC not Sufficient?

As you already know RBAC helps to manage who can access Cloud Application, what part of Application they can access (like Design, Monitor) and what task can they perform (like view, deploy, etc).

For Instance a user with role AuthGroup.IntegrationDeveloper can access web tooling of Cloud Integration and can Deploy and Monitor Integration Artifacts. Similarly a user with role AuthGroup.BusinessExpert can Monitor integration flows and Read message payload and attachments.

So the Application Role control what task a user can perform on all artifacts and data. Access Policy will enable us to additionally protect a subset of artifacts and data.

Use of Access Policy for Business Data

With role AuthGroup.BusinessExpert or esbmessagestorage.read assigned a user can read message payload(in trace mode) and attachments of any Integration Flow. However, when an Access Policy is defined to protect a specific Integration Flow or group of Integration flow, only the user with  Access Policy associated Role assigned will have access to the Message Data. This will help protect sensitive or confidential data being read by anyone with just a monitoring role.

Let’s see in this blog on how to implement Access Policy to protect business data.

How to Implement Access Policy


Step – 1 : Create Role in TMN Application

From SAP Cloud Platform Cockpit Navigate to Applications –> Subscriptions –> TMN Application –> Role and create New Role  

Step – 2 : Assign User to Role
Assign the newly created Role to the intended user(s).
These are the user who will have access to view message data of interface protected by Access Policy defined in the next Step 4.

Step – 3 : Create Access Policy
Now open TMN Application and Navigate to Monitor –> Manage Security –> Access Policies
Click on + (Create New Access Policy) and Enter the Role Name created in Step – 1.
(Important: Role Name in Access Policy and TMN Application should match, this is how the Integration Artifacts attached to the Access Policy are controlled with the Custom Role)

Step – 4 : Add Artifacts to Access Policy
From Access Policy click on + (Add Artifact Reference)

And Add Integration Flow with ID or Name Value.

Testing

User with Role Access MPL Trace / Attachment – Result
Case 1

  • AuthGroup.IntegrationDeveloper
IFlow Not in Access Policy

IFlow in Access Policy
Case 2

  • AuthGroup.IntegrationDeveloper
  • AuthGroup.Administrator
IFlow Not in Access Policy

IFlow in Access Policy
Case 3

  • AuthGroup.IntegrationDeveloper
  • AuthGroup.Administrator
  • AuthGroup.BusinessExpert
IFlow Not in Access Policy
Payload Trace Accessible

IFlow in Access Policy
Payload Trace still not Accessible

Attachment access Not Authorized
Case 4

  • AuthGroup.IntegrationDeveloper
  • AuthGroup.Administrator
  • AuthGroup.BusinessExpert
  • Z_GDPR_Interfaces
IFlow Not in Access Policy
Payload Trace Accessible

IFlow in Access Policy
Payload Trace Access authorized

Attachment Access authorized

 

Conclusion

Access Policy for Business Data protection help to implement a solution for securing payload from unauthorized access.

2 Comments
You must be Logged on to comment or reply to a post.