Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
dvankempen
Product and Topic Expert
Product and Topic Expert






With this blog series we provide an update with the latest information on getting started with SAP HANA Cloud on the SAP Cloud Platform.

  1. About SAP HANA Cloud

  2. SAP HANA Cloud Getting Started

  3. SAP HANA Cloud and SAP Business Application Studio

  4. HDI with SAP HANA Cloud

  5. SAP Analysis for Microsoft Office and SAP HANA Cloud

  6. Cloud Foundry Advanced

  7. SAP HANA Cloud and SAP BTP Trust

  8. Data masking and data anonymization

  9. Predictive Analysis Library (PAL) and Automated Predictive Library (APL)

  10. Remote data sources and virtual tables

  11. OData with SAP HANA Cloud

  12. SAP HANA Cloud Graph

  13. Role Attributes <=

  14. SAP HANA Cloud and Smart Data Integration


For more information about the free trial, see

For the new features overview posts, see

Questions? Post as comment.

Useful? Give us a like and share on social media.

Thanks!





Role Collections with Attributes


In this blog post, you will find three video tutorials about how to configure personalised access to SAP HANA Cloud using role attributes with additional information and resources.

What You Learn


You can watch the video tutorial in a little under 30 minutes. What you learn is

  • How to configure trust between the SAP Cloud Platform tenant and SAP HANA Cloud (also covered in JWT Trust)

  • How to configure a multi-target application to implement role collections with fixed attributes

  • How to configure a MTA to implement role collections dynamically using role collection mapping and custom identity provider

  • How to configure trust between the SAP Cloud Platform tenant and a custom IdP

  • How to debug using the cf CLI and an online JWT decode service


Documentation


Role collections and attributes are documented in the SAP Cloud Platform guide.

In part III, we use a custom identity provider (IdP) instead of the default SAP ID service.

For more information about SAP Cloud Identity Service, see

Code Samples on GitHub


As we know your time is precious, you can find the code snippet on our GitHub repository



Video Tutorials


Role Attributes I


In this video tutorial series, we learn how to configure personalised access to SAP HANA Cloud from a full-stack application via role attributes.

The first video provides an introduction to key concepts and documentation before covering pre-requisite configuration including setting up the trust between the SAP Cloud Platform subaccount and the SAP HANA Cloud instance, a topic also covered in

https://youtu.be/DLjFf0EiRQc?list=PLkzo92owKnVzONfsNdQNmpPQvUT54UUAL

0:00 - Introduction and use case

0:50 - Role collections with attributes (documentation)

2:00 - Prerequisite: SAP HANA Cloud 

2:30 - XSUAA service

2:45 - Prerequisite: Configure JWT Trust 

4:25 - Import certificate

4:35 - Create JWT Identity Provider

5:10 - Create certificate collection (PSE)

5:45 - Configure SAP Business Application Studio

6:20 - Git clone sample code from github.com/saphanaacademy/scpapps

6:40 - Showcase myapphana MTA (multi-target application)

7:10 - Recap

Role Attributes II


In the second video we learn how to customise a standard full-stack multi-target application to take advantage of role attributes with a focus on static definitions.

https://youtu.be/uaaYW8EldRI?list=PLkzo92owKnVzONfsNdQNmpPQvUT54UUAL

0:00 - Introduction

0:30 - Configure security descriptor (xs-security.json)

1:50 - Configure business logic of the server app (server.js) 

4:50 - Configure approuter (xs-app.json)

5:10 - Build and deploy MTA

5:50 - Create role collection with static configuration

7:00 - Assign role collection to user 

8:00 - Demo

9:00 - Limitations

Code samples from github.com/saphanaacademy/scpapps/blob/master/roleattributes.txt.


Role Attributes III - Using Custom Identity Providers


In the third video, we extend the use of role attributes to a custom Identity Provider so that rather than using static role-based definitions, access can be configured for each user in the identity provider. The tuturial also covers how to debug the authentication and authorization process.

https://youtu.be/xrObN7uVP-8?list=PLkzo92owKnVzONfsNdQNmpPQvUT54UUAL

0:00 - Introduction

1:00 - Using as SAP Identity Authentication Service as custom Identity Provider (IdP) 

1:30 - Export SAML metadata from Identify Provider and import to SAP Cloud Platform

2:10 - Disable SAP ID service (default Identify Provider)

2:30 - Export SAML metadata from SAP Cloud Platform and import to Identify Provider

3:00 - Configure default name ID format: e-mail

3:10 - Configure assertion attributes and add 'division' (region) and 'Groups'

3:50 - Add user group

4:10 - Assign user group and division to user account

5:00 - Configure role collection mapping for the Identify Provider in SAP Cloud Platform

5:30 - Configure role to use Identify Provider as source with value 'division'

6:20 - Connect to sample application

7:00 - How to debug using the cf CLI set-env command

10:10 - How to decode the JWT using jwt.io

10:50 - Recap

Code samples from github.com/saphanaacademy/scpapps/blob/master/roleattributes.txt
cf set-env myapphana-srv DEBUG xssec*
cf set-env myapphana-srv SAP_EXT_TRC stdout
cf set-env myapphana-srv SAP_EXT_TRL 3
cf restage myapphana-srv
cf logs myapphana-srv --recent

Bonus Track: JWT Trust


The first video showed how to configure the JWT trust using SAP HANA cockpit. Alternatively, we can also use SQL statements and SAP HANA database explorer as illustrated in the next video.

For the details, see blog post

https://youtu.be/tqg1qPwGdvU?list=PLkzo92owKnVzONfsNdQNmpPQvUT54UUAL


Share and Connect


Questions? Please post as comment.

Useful? Give us a like and share on social media.

Thanks!

If you would like to receive updates, connect with me on

For the author page of SAP PRESS, visit








Over the years, for the SAP HANA Academy, SAP’s Partner Innovation Lab, and à titre personnel, I have written a little over 300 posts here for the SAP Community. Some articles only reached a few readers. Others attracted quite a few more.

For your reading pleasure and convenience, here is a curated list of posts which somehow managed to pass the 10k-view mile stone and, as sign of current interest, still tickle the counters each month.



For the SAP HANA Cloud e-bite, see