Skip to Content
Technical Articles
Author's profile photo Showkath Ali Naseem

SAP BTP Security Automation Using Authorization REST API and SAP Cloud SDK to manage XSUAA service instances, roles, templates, and collections Programmatically

Recently I have got chance to work on BTP cloud security below use-case in a cloud application


1) Display BTP Role Collection in UI Picker :Show all role collections, roles ,which exist within the current sub  account created for specific XSUAA APP Programmatically
2) Validate whether role collection exist at BTP sub account
3) Show Users :Get users to whom the role collections are assigned


To accomplish this kind of use case  i would like to recommend to refer below official guide.

Authorization  REST API



Why SAP Cloud SDK

In general you can use axios promise-based HTTP Client to send asynchronous HTTP requests to Any REST endpoints and perform CRUD operations.With this Classic approach you need to write lot of code  i.e Making BTP Platform HTTP requests with Axios , NodejS

const axios = require('axios')
const xssec = require('@sap/xssec')


But if you use SAP Cloud SDK then consumption of any Open API, OData API, REST API is easy like BTP Platform API (Exmple : Workflow API’s , Auth API, SCIM API… ) , S/4 HANA API’s,  … etc i.e it makes your life easier

Advantages of SAP Cloud SDK

  • You’ll benefit from less code boilerplate and better developer experience.
  • You will get typesafe client auto generated classes which avoids lot of code i.e you no need to write  DTO, Request,Response ,JSON Models.
  • It will hide complexity in connecting to any Remote Service i.e take care of Authentication,CSRF , ETag tokens handling ,automated management of HTTP Headers and much more.You can read more about SAP Cloud SDK in below blog post

In this BlogPost  i am using Authorization  REST API

You can further extend SAP BTP Security Automation Scenarios Using  Authorization  REST API  SAP Cloud SDK: to manage Application Security artifacts & to administrate the Authorization and Trust Management service (XSUAA) of SAP BTP, Cloud Foundry environment.
You can manage service instances of the Authorization and Trust Management service. You can also manage roles, role templates, and role collections of your subaccount.


First , Lets understand how to Use BTP  Authorization  REST API

Screenshot :   Few Role Collections available at my BTP Trail Sub Account created for Demo Cloud Application


BTP Setup

To get BTP Role Collections of BTP  XSUAA ,for this kind use case’s.

  1. First ,we need to create another XSUAA instances to get security artifacts as shown below This one only needs to be created with service plan “apiaccess” as shown below.
  2.  Then Create Service Key of other XSUAA Instance of type “apiaccess” & Use Client ID,Client Secret,Access Token URL



Scenario1 : Get Role Collections from BTP Sub Account

For Blog Simplicity ,just to test i will try to execute API’s from REST Client/Postman as shown below.

BTP Auth “RoleCollectionsApi” to Returns all role collections, which exist within the current  BTP subaccount as shown in above screenshot.

Here you can also further filter by XSUAA APP. Please refer Authorization  REST API

Scenario 2: Get User References for given Role Collection

May be Application Admin needs to view which are the users that have a specific application role/all scopes of user , role collections , without navigating to BTP sub-account (sub-accoubt view rights needed to view sub-account details).

If you have requirement to get users to whom the role collections are assigned this is also possible.



Installation Instruction’s : Usage of SAP Cloud SDK

Now If you would like to proceed programmatically then use @sap-cloud-sdk/openapi-generator dependency . Installation Instruction’s  are explained in below official guide

    Refer Installation

Once setup completed you can refer Example Source Code.

BTP Auth “RoleCollectionsApi” to returns all role collections, which exist within the current  BTP  sub account or you can also further filter response by using other api’s like by specific application ID or returns information about a role collection identified by the name of the role collection

const authapi = require("../src/generated/AuthorizationAPI");
const authapp = authapi.RolesApi.getRolesByAppId("xsuaa-app-id");
const request = authapi.RoleCollectionsApi;
const roleCollections = request.getRoleCollections();


roleCollections.execute({ destinationName: 'int_subaccountname_xsuaaname' });



Scenario 3: How to Get User & Permissions assigned on BTP Sub Account

If you navigate to BTP Sub-Account –>  Choose Users –> Under “Security” as shown below, you can view users & associated roles assigned to user in BTP Cockpit.

Below is screenshot from my BTP trail account

Rest API to Get Users & assigned Roles/Permissions on BTP Sub-Account

if you would like Get this user details programatically then you can use below Rest API similar to how i explained above “How to Use BTP XSUAA Authorization  REST API” .

May be Application admin needs to view  users that have a specific application role/all scopes, role collections assigned.

For example to Get all users from BTP Sub-Account, you can try below API


You can also filter response by sending query parameters like userName, emails.. etc


Scenario 4: Manage User Assignment to BTP XSUAA Role Collection Programmatically

To Add users, groups Programmatically,we have BTP standard [SCIM ] API’s(’s to Manage users, groups and custom schemas in the SAP Cloud at Custom IAS Tenant (own Identity tenant ) Services



Thank you for reading this blog post.Hope this will be beneficial for you !

If you find this material useful, please leave your feedback in the comments section below.

Feel free to also ‘Like’ ,‘Share’ , ‘Follow’ me to get new updates.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Junjie Tang
      Junjie Tang

      Thank you for the awesome job, Showkath Ali.

      Just want to share another detailed blog post, about consuming the "Authorization API". (Please don't get me wrong, this is also a great blog post that is very helpful).

      Simply compare the amount of application code.

      With the help of the SAP Cloud SDK, you benefit from the SDK features:

      • Type safe client of the "Authorization API"
      • JWT handling
      • BTP destination service abstraction
      • URL building
      • Auth headers building

      Just delegate them to the SDK, and you can focus on your own unique business.

      Author's profile photo Showkath Ali Naseem
      Showkath Ali Naseem
      Blog Post Author

      Thanks Junjie Tang