Skip to Content
Technical Articles

SAP HANA Cloud and Role Attributes

With this blog series we provide an update with the latest information on getting started with SAP HANA Cloud on the SAP Cloud Platform.

  1. About SAP HANA Cloud
  2. SAP HANA Cloud Getting Started
  3. SAP HANA Cloud and SAP Business Application Studio
  4. HDI with SAP HANA Cloud
  5. Cloud Foundry Advanced (space travel, multiple instances, defining schema names)
  6. SAP HANA Cloud, JWT Provider, and Certificate Collection with Purpose JWT
  7. Data masking and data anonymization
  8. Predictive Analysis Library (PAL) and Automated Predictive Library (APL)
  9. Remote data sources and virtual tables
  10. OData with SAP HANA Cloud
  11. SAP HANA Cloud Graph
  12. Role Attributes
  13. SAP HANA Cloud and Smart Data Integration

For more information about the free trial, see

For the new features overview posts, see

Questions? Post as comment.

Useful? Give us a like and share on social media.

Thanks!

/wp-content/uploads/2016/02/sapnwabline_885687.png

Role Collections with Attributes

In this blog post, you will find three video tutorials about how to configure personalised access to SAP HANA Cloud using role attributes with additional information and resources.

What You Learn

You can watch the video tutorial in a little under 30 minutes. What you learn is

  • How to configure trust between the SAP Cloud Platform tenant and SAP HANA Cloud (also covered in JWT Trust)
  • How to configure a multi-target application to implement role collections with fixed attributes
  • How to configure a MTA to implement role collections dynamically using role collection mapping and custom identity provider
  • How to configure trust between the SAP Cloud Platform tenant and a custom IdP
  • How to debug using the cf CLI and an online JWT decode service

Documentation

Role collections and attributes are documented in the SAP Cloud Platform guide.

In part III, we use a custom identity provider (IdP) instead of the default SAP ID service.

For more information about SAP Cloud Identity Service, see

Code Samples on GitHub

As we know your time is precious, you can find the code snippet on our GitHub repository

/wp-content/uploads/2016/02/sapnwabline_885687.png

Video Tutorials

Role Attributes I

In this video tutorial series, we learn how to configure personalised access to SAP HANA Cloud from a full-stack application via role attributes.

The first video provides an introduction to key concepts and documentation before covering pre-requisite configuration including setting up the trust between the SAP Cloud Platform subaccount and the SAP HANA Cloud instance, a topic also covered in

0:00 – Introduction and use case

0:50 – Role collections with attributes (documentation)

2:00 – Prerequisite: SAP HANA Cloud 

2:30 – XSUAA service

2:45 – Prerequisite: Configure JWT Trust 

4:25 – Import certificate

4:35 – Create JWT Identity Provider

5:10 – Create certificate collection (PSE)

5:45 – Configure SAP Business Application Studio

6:20 – Git clone sample code from github.com/saphanaacademy/scpapps

6:40 – Showcase myapphana MTA (multi-target application)

7:10 – Recap

Role Attributes II

In the second video we learn how to customise a standard full-stack multi-target application to take advantage of role attributes with a focus on static definitions.

0:00 – Introduction

0:30 – Configure security descriptor (xs-security.json)

1:50 – Configure business logic of the server app (server.js) 

4:50 – Configure approuter (xs-app.json)

5:10 – Build and deploy MTA

5:50 – Create role collection with static configuration

7:00 – Assign role collection to user 

8:00 – Demo

9:00 – Limitations

Code samples from github.com/saphanaacademy/scpapps/blob/master/roleattributes.txt.

Role Attributes III – Using Custom Identity Providers

In the third video, we extend the use of role attributes to a custom Identity Provider so that rather than using static role-based definitions, access can be configured for each user in the identity provider. The tuturial also covers how to debug the authentication and authorization process.

0:00 – Introduction

1:00 – Using as SAP Identity Authentication Service as custom Identity Provider (IdP) 

1:30 – Export SAML metadata from Identify Provider and import to SAP Cloud Platform

2:10 – Disable SAP ID service (default Identify Provider)

2:30 – Export SAML metadata from SAP Cloud Platform and import to Identify Provider

3:00 – Configure default name ID format: e-mail

3:10 – Configure assertion attributes and add ‘division’ (region) and ‘Groups’

3:50 – Add user group

4:10 – Assign user group and division to user account

5:00 – Configure role collection mapping for the Identify Provider in SAP Cloud Platform

5:30 – Configure role to use Identify Provider as source with value ‘division’

6:20 – Connect to sample application

7:00 – How to debug using the cf CLI set-env command

10:10 – How to decode the JWT using jwt.io

10:50 – Recap

Code samples from github.com/saphanaacademy/scpapps/blob/master/roleattributes.txt

cf set-env myapphana-srv DEBUG xssec*
cf set-env myapphana-srv SAP_EXT_TRC stdout
cf set-env myapphana-srv SAP_EXT_TRL 3
cf restage myapphana-srv
cf logs myapphana-srv --recent

Bonus Track: JWT Trust

The first video showed how to configure the JWT trust using SAP HANA cockpit. Alternatively, we can also use SQL statements and SAP HANA database explorer as illustrated in the next video.

For the details, see blog post

/wp-content/uploads/2016/02/sapnwabline_885687.png

Share and Connect 

Questions? Post as comment.

Useful? Give us a like and share on social media. Thanks!

If you would like to receive updates, connect with me on

For the author page of SAP Press, visit

For the SAP HANA Cloud e-bite, see

Be the first to leave a comment
You must be Logged on to comment or reply to a post.