Recently I have got chance to work on BTP cloud security below use-case in a cloud application
To accomplish this kind of use case i would like to recommend to refer below official guide.
Authorization REST API
SAP Cloud SDK
In general you can use axios promise-based HTTP Client to send asynchronous HTTP requests to Any REST endpoints and perform CRUD operations.With this Classic approach you need to write lot of code i.e Making BTP Platform HTTP requests with Axios , NodejS
But if you use SAP Cloud SDK then consumption of any Open API, OData API, REST API is easy like BTP Platform API (Exmple : Workflow API's , Auth API, SCIM API... ) , S/4 HANA API's, ... etc i.e it makes your life easier
https://blogs.sap.com/2017/05/10/first-steps-with-sap-s4hana-cloud-sdk/
In this BlogPost i am using Authorization REST API
You can further extend SAP BTP Security Automation Scenarios Using Authorization REST API SAP Cloud SDK: to manage Application Security artifacts & to administrate the Authorization and Trust Management service (XSUAA) of SAP BTP, Cloud Foundry environment.
You can manage service instances of the Authorization and Trust Management service. You can also manage roles, role templates, and role collections of your subaccount.
Screenshot : Few Role Collections available at my BTP Trail Sub Account created for Demo Cloud Application
To get BTP Role Collections of BTP XSUAA ,for this kind use case's.
BTP Auth "RoleCollectionsApi" to Returns all role collections, which exist within the current BTP subaccount as shown in above screenshot.
Here you can also further filter by XSUAA APP. Please refer Authorization REST API
May be Application Admin needs to view which are the users that have a specific application role/all scopes of user , role collections , without navigating to BTP sub-account (sub-accoubt view rights needed to view sub-account details).
If you have requirement to get users to whom the role collections are assigned this is also possible.
Refer Installation https://sap.github.io/cloud-sdk/docs/js/features/openapi/generate-client
Run command or add dependencies in package.json file of NodeJS
To install the OpenAPI generator as a devDependency, run the following command:
Once setup completed you can refer Example Source Code.
BTP Auth "RoleCollectionsApi" to returns all role collections, which exist within the current BTP sub account or you can also further filter response by using other api's like by specific application ID or returns information about a role collection identified by the name of the role collection
If you navigate to BTP Sub-Account --> Choose Users --> Under "Security" as shown below, you can view users & associated roles assigned to user in BTP Cockpit.
Below is screenshot from my BTP trail account
if you would like Get this user details programatically then you can use below Rest API similar to how i explained above "How to Use BTP XSUAA Authorization REST API" .
May be Application admin needs to view users that have a specific application role/all scopes, role collections assigned.
For example to Get all users from BTP Sub-Account, you can try below API
https://api.authentication.region.hana.ondemand.com/Users
You can also filter response by sending query parameters like userName, emails.. etc
https://api.authentication.region.hana.ondemand.com/Users?userName=john.doe@sap.com
To Add users, groups Programmatically,we have BTP standard [SCIM ] API's(https://api.sap.com/api/IdDS_SCIM/tryout)’s to Manage users, groups and custom schemas in the SAP Cloud at Custom IAS Tenant (own Identity tenant ) Services
https://api.sap.com/api/IdDS_SCIM/tryout
https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/ddd067c899f94e2f9...
Thank you for reading! If you enjoyed this post, please consider giving it a ‘'Like' ,'Share' it with your friends and followers, and 'Follow' me for more content like this. Your support means a lot to me!
1) Display BTP Role Collection in UI Picker :Show all role collections, roles ,which exist within the current sub account created for specific XSUAA APP Programmatically
2) Validate whether role collection exist at BTP sub account
3) Show Users :Get users to whom the role collections are assigned
To accomplish this kind of use case i would like to recommend to refer below official guide.
Authorization REST API
SAP Cloud SDK
Why SAP Cloud SDK
In general you can use axios promise-based HTTP Client to send asynchronous HTTP requests to Any REST endpoints and perform CRUD operations.With this Classic approach you need to write lot of code i.e Making BTP Platform HTTP requests with Axios , NodejS
const axios = require('axios')
const xssec = require('@sap/xssec')But if you use SAP Cloud SDK then consumption of any Open API, OData API, REST API is easy like BTP Platform API (Exmple : Workflow API's , Auth API, SCIM API... ) , S/4 HANA API's, ... etc i.e it makes your life easier
Advantages of SAP Cloud SDK
- You'll benefit from less code boilerplate and better developer experience.
- You will get typesafe client auto generated classes which avoids lot of code i.e you no need to write DTO, Request,Response ,JSON Models.
- It will hide complexity in connecting to any Remote Service i.e take care of Authentication,CSRF , ETag tokens handling ,automated management of HTTP Headers and much more.You can read more about SAP Cloud SDK in below blog post
https://blogs.sap.com/2017/05/10/first-steps-with-sap-s4hana-cloud-sdk/
In this BlogPost i am using Authorization REST API
You can further extend SAP BTP Security Automation Scenarios Using Authorization REST API SAP Cloud SDK: to manage Application Security artifacts & to administrate the Authorization and Trust Management service (XSUAA) of SAP BTP, Cloud Foundry environment.
You can manage service instances of the Authorization and Trust Management service. You can also manage roles, role templates, and role collections of your subaccount.
First , Lets understand how to Use BTP Authorization REST API
Screenshot : Few Role Collections available at my BTP Trail Sub Account created for Demo Cloud Application
BTP Setup
To get BTP Role Collections of BTP XSUAA ,for this kind use case's.
- First ,we need to create another XSUAA instances to get security artifacts as shown below This one only needs to be created with service plan "apiaccess" as shown below.
- Then Create Service Key of other XSUAA Instance of type "apiaccess" & Use Client ID,Client Secret,Access Token URL
Scenario1 : Get Role Collections from BTP Sub Account
BTP Auth "RoleCollectionsApi" to Returns all role collections, which exist within the current BTP subaccount as shown in above screenshot.
Here you can also further filter by XSUAA APP. Please refer Authorization REST API
Scenario 2: Get User References for given Role Collection
May be Application Admin needs to view which are the users that have a specific application role/all scopes of user , role collections , without navigating to BTP sub-account (sub-accoubt view rights needed to view sub-account details).
If you have requirement to get users to whom the role collections are assigned this is also possible.
Installation Instruction's : Usage of SAP Cloud SDK
Refer Installation https://sap.github.io/cloud-sdk/docs/js/features/openapi/generate-client
Step1 :
Run command or add dependencies in package.json file of NodeJS
To install the OpenAPI generator as a devDependency, run the following command:
npm install -D @sap-cloud-sdk/openapi-generatorIf you would like to install OpenAI generator globally then run below command
npm install @sap-cloud-sdk/openapi-generatorRefer to the following note for more information:
npm install -D @sap-cloud-sdk/openapi
npm install -D @types/nodeStep2 : Generate typesafe client Codes
To generate an OpenAPI client and typesafe client auto-generated classes, which can save you a lot of code by avoiding the need to write DTO, Request, Response, and JSON Models, use the SAP Cloud SDK generator primarily on the command line. To do this, run the following commands from a Windows/Mac Terminal or Visual Studio Code or SAP Business Application Studio BAS Terminal:
npx openapi-generator --input <input> --outputDir <outputDirectory>Refer to this link for more information:
The following are the options you can use:
-i,--input (required) = Specify the path to the directory or file containing the OpenAPI service definition(s) to generate clients for. Accepts Swagger and OpenAPI definitions as YAML and JSON files. Throws an error if the path does not exist.
-o,--outputDir (required) = Specify the path to the directory to generate the client(s) in. Each client is generated into a subdirectory within the given output directory. Creates the directory if it does not exist. Customize subdirectory naming through --optionsPerService.
SAP Cloud SDK in a CAP Node.js application
If you require the use of SAP Cloud SDK in a CAP Node.js application, please note below two points
1) Note that a CAP project uses JavaScript, so you need to specify a transpilation option (-t or --transpil) to generate JavaScript files.
2) It seems that you will need to place the output directory within srv/src.
Although this was not explicitly stated in the documentation, I discovered that it worked for any API use case with CAP Node.js.
npx openapi-generator --input resources/service-specs --outputDir srv/src/generated -t
3) If generation of services failed due to validation
To check for invalid characters you can use the following RegEx: /[.#@/"'*%]+/g then rename or use the skipValidation option
npx openapi-generator --input resources/service-specs --outputDir srv/src/generated --skipValidation -t4) If you want to to overwrite then add -overwrite option
npx openapi-generator --input resources/service-specs --outputDir srv/src/generated --skipValidation -t -overwriteOnce setup completed you can refer Example Source Code.
-----------------------------------------------------------------------------------------
Example Source Code
BTP Auth "RoleCollectionsApi" to returns all role collections, which exist within the current BTP sub account or you can also further filter response by using other api's like by specific application ID or returns information about a role collection identified by the name of the role collection
const authapi = require("../src/generated/AuthorizationAPI");
const authapp = authapi.RolesApi.getRolesByAppId("xsuaa-app-id");
const request = authapi.RoleCollectionsApi;
const roleCollections = request.getRoleCollections();
...
roleCollections.execute({ destinationName: 'int_subaccountname_xsuaaname' });
....
Scenario 3: How to Get User & Permissions assigned on BTP Sub Account
If you navigate to BTP Sub-Account --> Choose Users --> Under "Security" as shown below, you can view users & associated roles assigned to user in BTP Cockpit.
Below is screenshot from my BTP trail account
Rest API to Get Users & assigned Roles/Permissions on BTP Sub-Account
if you would like Get this user details programatically then you can use below Rest API similar to how i explained above "How to Use BTP XSUAA Authorization REST API" .
May be Application admin needs to view users that have a specific application role/all scopes, role collections assigned.
For example to Get all users from BTP Sub-Account, you can try below API
https://api.authentication.region.hana.ondemand.com/Users
You can also filter response by sending query parameters like userName, emails.. etc
https://api.authentication.region.hana.ondemand.com/Users?userName=john.doe@sap.com
Scenario 4: Manage User Assignment to BTP XSUAA Role Collection Programmatically
To Add users, groups Programmatically,we have BTP standard [SCIM ] API's(https://api.sap.com/api/IdDS_SCIM/tryout)’s to Manage users, groups and custom schemas in the SAP Cloud at Custom IAS Tenant (own Identity tenant ) Services
https://api.sap.com/api/IdDS_SCIM/tryout
https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/ddd067c899f94e2f9...
Thank you for reading! If you enjoyed this post, please consider giving it a ‘'Like' ,'Share' it with your friends and followers, and 'Follow' me for more content like this. Your support means a lot to me!
- SAP Managed Tags:
7 Comments
