Technical Articles
SAP BTP Security Automation Using Authorization REST API and SAP Cloud SDK to manage XSUAA service instances, roles, templates, and collections Programmatically
Recently I have got chance to work on BTP cloud security below use-case in a cloud application
1) Display BTP Role Collection in UI Picker :Show all role collections, roles ,which exist within the current sub account created for specific XSUAA APP Programmatically
2) Validate whether role collection exist at BTP sub account
3) Show Users :Get users to whom the role collections are assigned
To accomplish this kind of use case i would like to recommend to refer below official guide.
Why SAP Cloud SDK
In general you can use axios promise-based HTTP Client to send asynchronous HTTP requests to Any REST endpoints and perform CRUD operations.With this Classic approach you need to write lot of code i.e Making BTP Platform HTTP requests with Axios , NodejS
const axios = require('axios')
const xssec = require('@sap/xssec')
But if you use SAP Cloud SDK then consumption of any Open API, OData API, REST API is easy like BTP Platform API (Exmple : Workflow API’s , Auth API, SCIM API… ) , S/4 HANA API’s, … etc i.e it makes your life easier
Advantages of SAP Cloud SDK
- You’ll benefit from less code boilerplate and better developer experience.
- You will get typesafe client auto generated classes which avoids lot of code i.e you no need to write DTO, Request,Response ,JSON Models.
- It will hide complexity in connecting to any Remote Service i.e take care of Authentication,CSRF , ETag tokens handling ,automated management of HTTP Headers and much more.You can read more about SAP Cloud SDK in below blog post
https://blogs.sap.com/2017/05/10/first-steps-with-sap-s4hana-cloud-sdk/
In this BlogPost i am using Authorization REST API
You can further extend SAP BTP Security Automation Scenarios Using Authorization REST API SAP Cloud SDK: to manage Application Security artifacts & to administrate the Authorization and Trust Management service (XSUAA) of SAP BTP, Cloud Foundry environment.
You can manage service instances of the Authorization and Trust Management service. You can also manage roles, role templates, and role collections of your subaccount.
First , Lets understand how to Use BTP Authorization REST API
Screenshot : Few Role Collections available at my BTP Trail Sub Account created for Demo Cloud Application
BTP Setup
To get BTP Role Collections of BTP XSUAA ,for this kind use case’s.
- First ,we need to create another XSUAA instances to get security artifacts as shown below This one only needs to be created with service plan “apiaccess” as shown below.
- Then Create Service Key of other XSUAA Instance of type “apiaccess” & Use Client ID,Client Secret,Access Token URL
Scenario1 : Get Role Collections from BTP Sub Account
BTP Auth “RoleCollectionsApi” to Returns all role collections, which exist within the current BTP subaccount as shown in above screenshot.
Here you can also further filter by XSUAA APP. Please refer Authorization REST API
Scenario 2: Get User References for given Role Collection
May be Application Admin needs to view which are the users that have a specific application role/all scopes of user , role collections , without navigating to BTP sub-account (sub-accoubt view rights needed to view sub-account details).
If you have requirement to get users to whom the role collections are assigned this is also possible.
Installation Instruction’s : Usage of SAP Cloud SDK
Refer Installation https://sap.github.io/cloud-sdk/docs/js/features/openapi/generate-client
Step1 :
Run command or add dependencies in package.json file of NodeJS
To install the OpenAPI generator as a devDependency, run the following command:
npm install -D @sap-cloud-sdk/openapi-generator
npm install @sap-cloud-sdk/openapi-generator

npm install -D @sap-cloud-sdk/openapi
npm install -D @types/node
Step2 : Generate typesafe client Codes
npx openapi-generator --input <input> --outputDir <outputDirectory>
SAP Cloud SDK in a CAP Node.js application
If you require the use of SAP Cloud SDK in a CAP Node.js application, please note below two points1) Note that a CAP project uses JavaScript, so you need to specify a transpilation option (-t or –transpil) to generate JavaScript files.2) It seems that you will need to place the output directory within srv/src.
Although this was not explicitly stated in the documentation, I discovered that it worked for any API use case with CAP Node.js.npx openapi-generator --input resources/service-specs --outputDir srv/src/generated -t
npx openapi-generator --input resources/service-specs --outputDir srv/src/generated --skipValidation -t
npx openapi-generator --input resources/service-specs --outputDir srv/src/generated --skipValidation -t -overwrite
Once setup completed you can refer Example Source Code.
—————————————————————————————–
Example Source Code
BTP Auth “RoleCollectionsApi” to returns all role collections, which exist within the current BTP sub account or you can also further filter response by using other api’s like by specific application ID or returns information about a role collection identified by the name of the role collection
const authapi = require("../src/generated/AuthorizationAPI"); const authapp = authapi.RolesApi.getRolesByAppId("xsuaa-app-id"); const request = authapi.RoleCollectionsApi; const roleCollections = request.getRoleCollections(); ... roleCollections.execute({ destinationName: 'int_subaccountname_xsuaaname' }); ....
Scenario 3: How to Get User & Permissions assigned on BTP Sub Account
If you navigate to BTP Sub-Account –> Choose Users –> Under “Security” as shown below, you can view users & associated roles assigned to user in BTP Cockpit.
Below is screenshot from my BTP trail account
Rest API to Get Users & assigned Roles/Permissions on BTP Sub-Account
if you would like Get this user details programatically then you can use below Rest API similar to how i explained above “How to Use BTP XSUAA Authorization REST API” .
May be Application admin needs to view users that have a specific application role/all scopes, role collections assigned.
For example to Get all users from BTP Sub-Account, you can try below API
https://api.authentication.region.hana.ondemand.com/Users
You can also filter response by sending query parameters like userName, emails.. etc
https://api.authentication.region.hana.ondemand.com/Users?userName=john.doe@sap.com
Scenario 4: Manage User Assignment to BTP XSUAA Role Collection Programmatically
To Add users, groups Programmatically,we have BTP standard [SCIM ] API’s(https://api.sap.com/api/IdDS_SCIM/tryout)’s to Manage users, groups and custom schemas in the SAP Cloud at Custom IAS Tenant (own Identity tenant ) Services
https://api.sap.com/api/IdDS_SCIM/tryout
Thank you for reading! If you enjoyed this post, please consider giving it a ‘‘Like’ ,‘Share’ it with your friends and followers, and ‘Follow’ me for more content like this. Your support means a lot to me!
Thank you for the awesome job, Showkath Ali.
Just want to share another detailed blog post, about consuming the "Authorization API". (Please don't get me wrong, this is also a great blog post that is very helpful).
Simply compare the amount of application code.
With the help of the SAP Cloud SDK, you benefit from the SDK features:
Just delegate them to the SDK, and you can focus on your own unique business.
Thanks Junjie Tang
Hi Showkath,
I have tried the same approach to consume User Management API to create users on BTP using SAP Cloud SDK.
After following the Installation & Generation as documented here using the JSON API Specification file downloaded from the API Business Hub and run the project I’m getting the following issue
Do you have any idea how to overcome this issue ?
thanks in advance for your support.
Regards,
Mariam
Hi Mariam Id-Manssour ,
Thank you for attempting the approach mentioned in the my blog post. I hope it proves to be helpful in reducing a significant amount of boilerplate code with the assistance of our SAP Cloud SDK .
Regarding your issue, if you require the use of SAP Cloud SDK in your CAP Node JS application, it seems that you will need to place the outputDir within srv/src. Although this was not explicitly stated in the documentation, I discovered that it worked for your particular use case with CAP Node JS.
However, note that for Node JS applications, the src path is not necessary. The command provided below worked for me:
Below command worked for me
Thank you Showkath Ali Naseem, again for sharing your experience:)
Hi Showkath Ali Naseem,
thanks for your response. Effectively the issue was related the client generation as the CAP project uses JavaScript and the generated client is TypeScript,so it is not recognized as a JS file.
by adding the --skipValidation and -t to the generation command the files was generated correctly.
Many thanks for your support and your collaboration to the SAP community with the series of interesting blog posts!
Best regards,
Mariam
Hi,
Yes, That's the reason why I included the command with the -t option in my post. I'll also include it in the main blog post to save readers from having to go through the comments. Thank you for taking the time to read my blog post and for your words of encouragement.
KR,
Showkath,