Skip to Content
Technical Articles
Author's profile photo Revathi Radhakrishnan

Securing an application with role templates and scopes on the SAP Business Technology Platform


In this blog post, we will see how to authorize a set of users to access the particular application with the help of role collection, scope, and user groups.

1) creating a user group in the IDP (Identity Provider)

In the SAP BTP cockpit, you can see the users of your subaccount, user-related identity provider information, and their authorizations. In a user’s overview, you can create and delete users and assign role collections. In the administration console of the Identity Authentication service, you can create an identity provider group for users and assign users to it. for more details, see User Groups


2) Update the xs-security.json file with a new role template

Edit the xs-security.json file and add a role template. For details, see Application Security Descriptor Syntax


"scopes": [{
		"name": "$XSAPPNAME.Display",
		"description": "display"
	}, {
		"name": "$XSAPPNAME.Edit",
		"description": "edit"
	}, {
		"name": "$XSAPPNAME.Delete",
		"description": "delete",
		"granted-apps": ["$XSAPPNAME(application,business-partner)"]
	"role-templates": [{
		"name": "Viewer",
		"description": "View all books",
		"default-role-name": "Viewer: Authorized to Read All Books",
		"scope-references": [

3) To deploy the security information, update the service using your file. Go to the folder where the xs-security.json file is stored.

 cf update-service <service_name> -c ./xs-security.json


4) Create a new role collection in the BTP cockpit under the Security > Role collections tab


5) Add Roles to a Role Collection by Clicking the role template and add the role to the role template.


5) Map Role Collections to User Groups by clicking the role collection mappings section in the trust configuration tab and choose the role collection from the drop-down list, and in the value filed, give the name of the new user group



6) Specify the scope in the manifest.json file of an application that you want to secure by adding



"oAuthScopes": ["<xsuaa instance> .display"]



Incase of clarification, post a comment. Feedbacks are most appreciated.

NOTE: More details regarding protecting an application can be found here

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Rohit Pahari
      Rohit Pahari

      Hello Revathi,

      Thank you for this writeup. Your post, along with a few others, have really helped me to get a grasp on the BTP security outline. 🙂


      I have one question, appreciate if you could help me with some hints. I have a subscription to an SAP standard service - Identity Access Governance (IAG) in one of my subaccounts.

      I was exploring the roles and role collections that have been bundled with this service through the BTP cockpit, when I noticed that the "create" button next to the role templates is greyed out. When I hover on it, it pops up a message - "Only One role can exist based on the role template" (see screenshot).

      Any idea, why this is so?