Access Policy for securing design artifacts in the SAP Cloud Integration designer
With the 5.22.x/6.14.x release, SAP Cloud Integration provides Access policies in the designer for integration flow to apply more granular access control in addition to the existing role-based access control.
In SAP Cloud Integration, user permissions are granted in a way that all tasks can be performed on all artifacts and data. Access policies provide a way to restrict access to selected artifacts and their data.
To know access policies, steps to create and activate access policies, how it works and other information, please refer the blog post
In this blog, we will primarily focus on the extension of access policies that has been consumed in integration flow design time to provide controlled access and safeguard the operations at artifact and package level from unauthorized users.
This feature is described in the SAP Help Portal ( see Access policies in the designer for integration flow).
Let us understand how the Access policies in the designer will prominently help and resolve some of the crucial scenarios.
Assume two different departments from the same company access the common SAP Cloud Integration tenant for addressing their business use cases. Let the department be:
- HR (Human Resource)
- IT (Information Technology)
The most prominent issue which is faced by the tenant administrator is the grievance from the department where they complain that users from the other department are editing and deleting their integration flows.
In order to address this issue and make the life of a tenant administrator easy, fine granular access has been introduced in the form of access policies to provide controlled access at the artifact level and ensure the protection from an unauthorized user.
What are access policies in the designer for integration flow?
- Safeguards selected integration flows from access by Unauthorized users.
- Access Policies only allows users to view restricted integration flows, and all other actions being restricted, with an Error message.
Let us assume that a custom role is created/activated in the SAP BTP account cockpit for HR department and the users of the HR department are assigned to the custom role, Access policy is created, and the integration flows of the HR department are referenced to the custom role.
Now, if a user who doesn’t belong to HR department try to perform any operations on the HR integration flows, then they will be restricted and shall see an error message.
Restricted Artifact Actions
Actions that are restricted at the artifact level are edit, copy, download, delete, configure, mass delete, mass download, mass configure and simulation of integration flow.
A user from IT department try to configure the integration flowImage1: A user from IT department try to configure the integration flow.
On click of configure action, an error will appear for a user from IT department.Image2: Error notification/message to a user from IT department.
A user from IT team is not allowed to delete the access restricted integration flow
On edit of the integration flow from the iflow editor, error message seen by a user from IT department.Image4: A user from IT team is not allowed to edit the access restricted integration flow
A user from IT department is not allowed to perform mass delete operation at the artifact level.Image5: Mass delete of integration flow is protected from an unauthorized user
Restricted Integration Package Actions
Integration package level actions are safeguarded if access to one or more integration flows is restricted and the actions are export, copy, transport, publish and delete.
A user from IT department is not allowed to export the package if one or more integration flows are restricted through access policies.Image6: Export action is protected from a IT team user
Note: All the above-mentioned operations at artifact and package level will be safeguarded via OData Remote APIs as well.
In the successive increments, we have plans to consume access policies in the designer for other artifacts
- REST API
- SOAP API
- ODATA API
- Value Mapping
- Integration Adapter
In addition to this, we will also consume access policies to safeguard runtime operations such as
- Deploy of artifact
- Undeploy of artifact
- Restart of artifact
- Download of runtime artifact
Hope this feature will enable you to protect a selected artifact from an unauthorized user in a designer.
In case of questions or feedback, please feel free to comment on this blog.