Role Collections with Attributes
In this blog post, you will find three video tutorials about how to configure personalised access to SAP HANA Cloud using role attributes with additional information and resources.
What You Learn
You can watch the video tutorial in a little under 30 minutes. What you learn is
- How to configure trust between the SAP Cloud Platform tenant and SAP HANA Cloud (also covered in JWT Trust)
- How to configure a multi-target application to implement role collections with fixed attributes
- How to configure a MTA to implement role collections dynamically using role collection mapping and custom identity provider
- How to configure trust between the SAP Cloud Platform tenant and a custom IdP
- How to debug using the cf CLI and an online JWT decode service
Role collections and attributes are documented in the SAP Cloud Platform guide.
In part III, we use a custom identity provider (IdP) instead of the default SAP ID service.
For more information about SAP Cloud Identity Service, see
- SAP Cloud Identity Services | SAP Community
- What Is Identity Authentication? | SAP Help Portal
- SAP Cloud Identity Services | SAP Discovery Center
Code Samples on GitHub
As we know your time is precious, you can find the code snippet on our GitHub repository
Role Attributes I
In this video tutorial series, we learn how to configure personalised access to SAP HANA Cloud from a full-stack application via role attributes.
The first video provides an introduction to key concepts and documentation before covering pre-requisite configuration including setting up the trust between the SAP Cloud Platform subaccount and the SAP HANA Cloud instance, a topic also covered in
0:00 – Introduction and use case
0:50 – Role collections with attributes (documentation)
2:00 – Prerequisite: SAP HANA Cloud
2:30 – XSUAA service
2:45 – Prerequisite: Configure JWT Trust
4:25 – Import certificate
4:35 – Create JWT Identity Provider
5:10 – Create certificate collection (PSE)
5:45 – Configure SAP Business Application Studio
6:40 – Showcase myapphana MTA (multi-target application)
7:10 – Recap
Role Attributes II
In the second video we learn how to customise a standard full-stack multi-target application to take advantage of role attributes with a focus on static definitions.
0:00 – Introduction
0:30 – Configure security descriptor (xs-security.json)
1:50 – Configure business logic of the server app (server.js)
4:50 – Configure approuter (xs-app.json)
5:10 – Build and deploy MTA
5:50 – Create role collection with static configuration
7:00 – Assign role collection to user
8:00 – Demo
9:00 – Limitations
Code samples from github.com/saphanaacademy/scpapps/blob/master/roleattributes.txt.
Role Attributes III – Using Custom Identity Providers
In the third video, we extend the use of role attributes to a custom Identity Provider so that rather than using static role-based definitions, access can be configured for each user in the identity provider. The tuturial also covers how to debug the authentication and authorization process.
0:00 – Introduction
1:00 – Using as SAP Identity Authentication Service as custom Identity Provider (IdP)
1:30 – Export SAML metadata from Identify Provider and import to SAP Cloud Platform
2:10 – Disable SAP ID service (default Identify Provider)
2:30 – Export SAML metadata from SAP Cloud Platform and import to Identify Provider
3:00 – Configure default name ID format: e-mail
3:10 – Configure assertion attributes and add ‘division’ (region) and ‘Groups’
3:50 – Add user group
4:10 – Assign user group and division to user account
5:00 – Configure role collection mapping for the Identify Provider in SAP Cloud Platform
5:30 – Configure role to use Identify Provider as source with value ‘division’
6:20 – Connect to sample application
7:00 – How to debug using the cf CLI set-env command
10:50 – Recap
Code samples from github.com/saphanaacademy/scpapps/blob/master/roleattributes.txt
cf set-env myapphana-srv DEBUG xssec* cf set-env myapphana-srv SAP_EXT_TRC stdout cf set-env myapphana-srv SAP_EXT_TRL 3 cf restage myapphana-srv cf logs myapphana-srv --recent
Bonus Track: JWT Trust
The first video showed how to configure the JWT trust using SAP HANA cockpit. Alternatively, we can also use SQL statements and SAP HANA database explorer as illustrated in the next video.
For the details, see blog post
Share and Connect
Questions? Post as comment.
Useful? Give us a like and share on social media. Thanks!
If you would like to receive updates, connect with me on
For the author page of SAP Press, visit
For the SAP HANA Cloud e-bite, see