Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Securing an application with role templates and scopes on the SAP Business Technology Platform

former_member677447
Explorer
‎04-20-2021 1:36 PM

Introduction


In this blog post, we will see how to authorize a set of users to access the particular application with the help of role collection, scope, and user groups.

1) creating a user group in the IDP (Identity Provider)

In the SAP BTP cockpit, you can see the users of your subaccount, user-related identity provider information, and their authorizations. In a user's overview, you can create and delete users and assign role collections. In the administration console of the Identity Authentication service, you can create an identity provider group for users and assign users to it. for more details, see User Groups


2) Update the xs-security.json file with a new role template


Edit the xs-security.json file and add a role template. For details, see Application Security Descriptor Syntax


 



"scopes": [{

		"name": "$XSAPPNAME.Display",

		"description": "display"

	}, {

		"name": "$XSAPPNAME.Edit",

		"description": "edit"

	}, {

		"name": "$XSAPPNAME.Delete",

		"description": "delete",

		"granted-apps": ["$XSAPPNAME(application,business-partner)"]

	}],

	"role-templates": [{

		"name": "Viewer",

		"description": "View all books",

		"default-role-name": "Viewer: Authorized to Read All Books",

		"scope-references": [

			"$XSAPPNAME.Display"

		]

	},

3) To deploy the security information, update the service using your xs.security.json file. Go to the folder where the xs-security.json file is stored.


 cf update-service <service_name> -c ./xs-security.json


 

4) Create a new role collection in the BTP cockpit under the Security > Role collections tab



 

5) Add Roles to a Role Collection by Clicking the role template and add the role to the role template.



 

5) Map Role Collections to User Groups by clicking the role collection mappings section in the trust configuration tab and choose the role collection from the drop-down list, and in the value filed, give the name of the new user group


 



 

6) Specify the scope in the manifest.json file of an application that you want to secure by adding
"sap.platform.cf": 



{



"oAuthScopes": ["<xsuaa instance> .display"]



}

 


Incase of clarification, post a comment. Feedbacks are most appreciated.

NOTE: More details regarding protecting an application can be found here
1 Comment
Labels in this area
Popular Blog Posts