Skip to Content
Technical Articles

Access Policy for securing design artifacts in the SAP Cloud Integration designer

Introduction

With the 5.22.x/6.14.x release, SAP Cloud Integration provides Access policies in the designer for integration flow to apply more granular access control in addition to the existing role-based access control.

In SAP Cloud Integration, user permissions are granted in a way that all tasks can be performed on all artifacts and data. Access policies provide a way to restrict access to selected artifacts and their data.

To know access policies, steps to create and activate access policies, how it works and other information, please refer the blog post 

In this blog, we will primarily focus on the extension of access policies that has been consumed in integration flow design time to provide controlled access and safeguard the operations at artifact and package level from unauthorized users.

This feature is described in the SAP Help Portal ( see Access policies in the designer for integration flow).

Let us understand how the Access policies in the designer will prominently help and resolve some of the crucial scenarios.

Scenario

Assume two different departments from the same company access the common SAP Cloud Integration tenant for addressing their business use cases. Let the department be:

  1. HR (Human Resource)
  2. IT (Information Technology)

The most prominent issue which is faced by the tenant administrator is the grievance from the department where they complain that users from the other department are editing and deleting their integration flows.

 

 

In order to address this issue and make the life of a tenant administrator easy, fine granular access has been introduced in the form of access policies to provide controlled access at the artifact level and ensure the protection from an unauthorized user.

 

What are access policies in the designer for integration flow?

  • Safeguards selected integration flows from access by Unauthorized users.
  • Access Policies only allows users to view restricted integration flows, and all other actions being restricted, with an Error message.

 

Let us assume that a custom role is created/activated in the SAP BTP account cockpit for HR department and the users of the HR department are assigned to the custom role, Access policy is created, and the integration flows of the HR department are referenced to the custom role.

 

Now, if a user who doesn’t belong to HR department try to perform any operations on the HR integration flows, then they will be restricted and shall see an error message.

 

Restricted Artifact Actions

Actions that are restricted at the artifact level are edit, copy, download, delete, configure, mass delete, mass download, mass configure and simulation of integration flow.

 

A user from IT department try to configure the integration flowImage1: A user from IT department try to configure the integration flow.

 

On click of configure action, an error will appear for a user from IT department.Image2: Error notification/message to a user from IT department.

A user from IT team is not allowed to delete the access restricted integration flow

Image3: Error message on deletion of integration flow

 

On edit of the integration flow from the iflow editor, error message seen by a user from IT department.Image4: A user from IT team is not allowed to edit the access restricted integration flow

 

A user from IT department is not allowed to perform mass delete operation at the artifact level.Image5: Mass delete of integration flow is protected from an unauthorized user

Restricted Integration Package Actions

Integration package level actions are safeguarded if access to one or more integration flows is restricted and the actions are export, copy, transport, publish and delete.

 

A user from IT department is not allowed to export the package if one or more integration flows are restricted through access policies.Image6: Export action is protected from a IT team user

Note: All the above-mentioned operations at artifact and package level will be safeguarded via OData Remote APIs as well.

Next steps:

In the successive increments, we have plans to consume access policies in the designer for other artifacts

  1. REST API
  2. SOAP API
  3. ODATA API
  4. Value Mapping
  5. Integration Adapter

In addition to this, we will also consume access policies to safeguard runtime operations such as

  1. Deploy of artifact
  2. Undeploy of artifact
  3. Restart of artifact
  4. Download of runtime artifact

Conclusion

Hope this feature will enable you to protect a selected artifact from an unauthorized user in a designer.

In case of questions or feedback, please feel free to comment on this blog.

5 Comments
You must be Logged on to comment or reply to a post.
  • Hi Kamlesh,

    Thanks for the detailed blog.

    If an access policy is created and say we assign a flow to that, note the user won't be able to edit neither see the payload during runtime. Is there a possibility just to restrict the user to edit that particualr iflow but he/she can still see the runtime payload?

    Thanks,

    Manoj

  • Hello Manoj,

    No that is not possible, once the access policy is created and referenced to the integration flow, user can neither edit the flow in designer nor see the payload during runtime.

    Regards,

    Kamlesh.

  • Hello Shameer,

    Yes, enabling access policy at the package level is there in our roadmap.

    There is no need to create 'n' number of access policies for your mentioned scenario. You can create one access policy and can reference the 'n' number of iflows in that access policy.

    Regards,

    Kamlesh.