Skip to Content
Technical Articles
Author's profile photo Revathi Radhakrishnan

Securing an application with role templates and scopes on the SAP Business Technology Platform

Introduction

In this blog post, we will see how to authorize a set of users to access the particular application with the help of role collection, scope, and user groups.

1) creating a user group in the IDP (Identity Provider)

In the SAP BTP cockpit, you can see the users of your subaccount, user-related identity provider information, and their authorizations. In a user’s overview, you can create and delete users and assign role collections. In the administration console of the Identity Authentication service, you can create an identity provider group for users and assign users to it. for more details, see User Groups

creating%20a%20new%20user%20group

2) Update the xs-security.json file with a new role template

Edit the xs-security.json file and add a role template. For details, see Application Security Descriptor Syntax

 

"scopes": [{
		"name": "$XSAPPNAME.Display",
		"description": "display"
	}, {
		"name": "$XSAPPNAME.Edit",
		"description": "edit"
	}, {
		"name": "$XSAPPNAME.Delete",
		"description": "delete",
		"granted-apps": ["$XSAPPNAME(application,business-partner)"]
	}],
	"role-templates": [{
		"name": "Viewer",
		"description": "View all books",
		"default-role-name": "Viewer: Authorized to Read All Books",
		"scope-references": [
			"$XSAPPNAME.Display"
		]
	},

3) To deploy the security information, update the service using your xs.security.json file. Go to the folder where the xs-security.json file is stored.

 cf update-service <service_name> -c ./xs-security.json

 

4) Create a new role collection in the BTP cockpit under the Security > Role collections tab

 

5) Add Roles to a Role Collection by Clicking the role template and add the role to the role template.

 

5) Map Role Collections to User Groups by clicking the role collection mappings section in the trust configuration tab and choose the role collection from the drop-down list, and in the value filed, give the name of the new user group

 

 

6) Specify the scope in the manifest.json file of an application that you want to secure by adding

"sap.platform.cf": 

{

"oAuthScopes": ["<xsuaa instance> .display"]

}

 

Incase of clarification, post a comment. Feedbacks are most appreciated.

NOTE: More details regarding protecting an application can be found here

Assigned tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.