Skip to Content
Technical Articles
Author's profile photo Showkath Ali Naseem

SAP BTP Security Automation Using Authorization REST API and SAP Cloud SDK to manage XSUAA service instances, roles, templates, and collections Programmatically

Recently I have got chance to work on BTP cloud security below use-case in a cloud application

 

1) Display BTP Role Collection in UI Picker :Show all role collections, roles ,which exist within the current sub  account created for specific XSUAA APP Programmatically
2) Validate whether role collection exist at BTP sub account
3) Show Users :Get users to whom the role collections are assigned

 

To accomplish this kind of use case  i would like to recommend to refer below official guide.

Authorization  REST API

SAP Cloud SDK

 

Why SAP Cloud SDK

In general you can use axios promise-based HTTP Client to send asynchronous HTTP requests to Any REST endpoints and perform CRUD operations.With this Classic approach you need to write lot of code  i.e Making BTP Platform HTTP requests with Axios , NodejS

const axios = require('axios')
const xssec = require('@sap/xssec')

 

But if you use SAP Cloud SDK then consumption of any Open API, OData API, REST API is easy like BTP Platform API (Exmple : Workflow API’s , Auth API, SCIM API… ) , S/4 HANA API’s,  … etc i.e it makes your life easier

Advantages of SAP Cloud SDK

  • You’ll benefit from less code boilerplate and better developer experience.
  • You will get typesafe client auto generated classes which avoids lot of code i.e you no need to write  DTO, Request,Response ,JSON Models.
  • It will hide complexity in connecting to any Remote Service i.e take care of Authentication,CSRF , ETag tokens handling ,automated management of HTTP Headers and much more.You can read more about SAP Cloud SDK in below blog post

https://blogs.sap.com/2017/05/10/first-steps-with-sap-s4hana-cloud-sdk/

In this BlogPost  i am using Authorization  REST API

You can further extend SAP BTP Security Automation Scenarios Using  Authorization  REST API  SAP Cloud SDK: to manage Application Security artifacts & to administrate the Authorization and Trust Management service (XSUAA) of SAP BTP, Cloud Foundry environment.
You can manage service instances of the Authorization and Trust Management service. You can also manage roles, role templates, and role collections of your subaccount.

 

First , Lets understand how to Use BTP  Authorization  REST API

Screenshot :   Few Role Collections available at my BTP Trail Sub Account created for Demo Cloud Application

 

BTP Setup

To get BTP Role Collections of BTP  XSUAA ,for this kind use case’s.

  1. First ,we need to create another XSUAA instances to get security artifacts as shown below This one only needs to be created with service plan “apiaccess” as shown below.
  2.  Then Create Service Key of other XSUAA Instance of type “apiaccess” & Use Client ID,Client Secret,Access Token URL

 

 

Scenario1 : Get Role Collections from BTP Sub Account

For Blog Simplicity ,just to test i will try to execute API’s from REST Client/Postman as shown below.

BTP Auth “RoleCollectionsApi” to Returns all role collections, which exist within the current  BTP subaccount as shown in above screenshot.

Here you can also further filter by XSUAA APP. Please refer Authorization  REST API

Scenario 2: Get User References for given Role Collection

May be Application Admin needs to view which are the users that have a specific application role/all scopes of user , role collections , without navigating to BTP sub-account (sub-accoubt view rights needed to view sub-account details).

If you have requirement to get users to whom the role collections are assigned this is also possible.

 

 

Installation Instruction’s : Usage of SAP Cloud SDK

Now If you would like to proceed programmatically then use @sap-cloud-sdk/openapi-generator dependency . Installation Instruction’s  are explained in below official guide  https://api.sap.com/api/AuthorizationAPI/cloud-sdk/JavaScript

    Refer Installation https://sap.github.io/cloud-sdk/docs/js/features/openapi/generate-client

  Step1 : 

Run command or add dependencies in package.json file of NodeJS

      To install the OpenAPI generator as a devDependency, run the following command:

npm install -D @sap-cloud-sdk/openapi-generator​
If you would like to install OpenAI generator globally then run below command
npm install @sap-cloud-sdk/openapi-generator
Refer to the following note for more information:
https://sap.github.io/cloud-sdk/docs/js/features/openapi/generate-client#transpilation
npm install -D @sap-cloud-sdk/openapi
npm install -D @types/node

Step2 :  Generate typesafe client Codes 

To generate an OpenAPI client and typesafe client auto-generated classes, which can save you a lot of code by avoiding the need to write DTO, Request, Response, and JSON Models, use the SAP Cloud SDK generator primarily on the command line. To do this, run the following commands from a Windows/Mac Terminal or Visual Studio Code or SAP Business Application Studio BAS Terminal:
npx openapi-generator --input <input> --outputDir <outputDirectory>
Refer to this link for more information:
The following are the options you can use:
-i,–input (required) = Specify the path to the directory or file containing the OpenAPI service definition(s) to generate clients for. Accepts Swagger and OpenAPI definitions as YAML and JSON files. Throws an error if the path does not exist.
-o,–outputDir (required) = Specify the path to the directory to generate the client(s) in. Each client is generated into a subdirectory within the given output directory. Creates the directory if it does not exist. Customize subdirectory naming through –optionsPerService.

SAP Cloud SDK in a CAP Node.js application

If you require the use of SAP Cloud SDK in a CAP Node.js application, please note below two points
1) Note that a CAP project uses JavaScript, so you need to specify a transpilation option (-t or –transpil) to generate JavaScript files.

2) It seems that you will need to place the output directory within srv/src.

Although this was not explicitly stated in the documentation, I discovered that it worked for any API use case with CAP Node.js.
npx openapi-generator --input resources/service-specs --outputDir srv/src/generated -t​
3) If generation of services failed due to validation
To check for invalid characters you can use the following RegEx: /[.#@/”‘*%]+/g then rename or use the skipValidation option
npx openapi-generator --input resources/service-specs --outputDir srv/src/generated --skipValidation -t
4)   If you want to to overwrite then add -overwrite option
npx openapi-generator --input resources/service-specs --outputDir srv/src/generated --skipValidation -t -overwrite

 

Once setup completed you can refer Example Source Code.

—————————————————————————————–

Example Source Code

BTP Auth “RoleCollectionsApi” to returns all role collections, which exist within the current  BTP  sub account or you can also further filter response by using other api’s like by specific application ID or returns information about a role collection identified by the name of the role collection

const authapi = require("../src/generated/AuthorizationAPI");
const authapp = authapi.RolesApi.getRolesByAppId("xsuaa-app-id");
const request = authapi.RoleCollectionsApi;
const roleCollections = request.getRoleCollections();

...

roleCollections.execute({ destinationName: 'int_subaccountname_xsuaaname' });

....

 

Scenario 3: How to Get User & Permissions assigned on BTP Sub Account

If you navigate to BTP Sub-Account –>  Choose Users –> Under “Security” as shown below, you can view users & associated roles assigned to user in BTP Cockpit.

Below is screenshot from my BTP trail account

Rest API to Get Users & assigned Roles/Permissions on BTP Sub-Account

if you would like Get this user details programatically then you can use below Rest API similar to how i explained above “How to Use BTP XSUAA Authorization  REST API” .

May be Application admin needs to view  users that have a specific application role/all scopes, role collections assigned.

For example to Get all users from BTP Sub-Account, you can try below API

https://api.authentication.region.hana.ondemand.com/Users

 

You can also filter response by sending query parameters like userName, emails.. etc

https://api.authentication.region.hana.ondemand.com/Users?userName=john.doe@sap.com

 

Scenario 4: Manage User Assignment to BTP XSUAA Role Collection Programmatically

To Add users, groups Programmatically,we have BTP standard [SCIM ] API’s(https://api.sap.com/api/IdDS_SCIM/tryout)’s to Manage users, groups and custom schemas in the SAP Cloud at Custom IAS Tenant (own Identity tenant ) Services

https://api.sap.com/api/IdDS_SCIM/tryout

https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/ddd067c899f94e2f9006cc4dd417be80.html

 

Thank you for reading! If you enjoyed this post, please consider giving it a ‘‘Like’ ,‘Share’  it with your friends and followers, and ‘Follow’ me for more content like this. Your support means a lot to me!

 

Assigned Tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Junjie Tang
      Junjie Tang

      Thank you for the awesome job, Showkath Ali.

      Just want to share another detailed blog post, about consuming the "Authorization API". (Please don't get me wrong, this is also a great blog post that is very helpful).

      Simply compare the amount of application code.

      With the help of the SAP Cloud SDK, you benefit from the SDK features:

      • Type safe client of the "Authorization API"
      • JWT handling
      • BTP destination service abstraction
      • URL building
      • Auth headers building

      Just delegate them to the SDK, and you can focus on your own unique business.

      Author's profile photo Showkath Ali Naseem
      Showkath Ali Naseem
      Blog Post Author

      Thanks Junjie Tang

      Author's profile photo Mariam Id-Manssour
      Mariam Id-Manssour

      Hi Showkath,

      I have tried the same approach to consume User Management API to create users on BTP using SAP Cloud SDK.

      After following the Installation & Generation as documented here  using the JSON  API Specification file downloaded from the   API Business Hub and run the project I’m getting the following issue

      Do you have any  idea how to overcome this issue ?

      thanks in advance for your support.

      Regards,

      Mariam

      Author's profile photo Showkath Ali Naseem
      Showkath Ali Naseem
      Blog Post Author

      Hi Mariam Id-Manssour ,

      Thank you for attempting the approach mentioned in the my blog post. I hope it proves to be helpful in reducing a significant amount of boilerplate code with the assistance of our SAP Cloud SDK .

      Regarding your issue, if you require the use of SAP Cloud SDK   in your CAP Node JS application, it seems that you will need to place the outputDir within srv/src. Although this was not explicitly stated in the documentation, I discovered that it worked for your particular use case with CAP Node JS.

      However, note that for Node JS applications, the src path is not necessary. The command provided below worked for me:

      Below command worked for me

      npx openapi-generator --input resources/service-specs --outputDir srv/src/generated --skipValidation -t
      Then in handler specify path as below
      const BTPUserManagementAPI= require("./src/generated/PlatformAPI");
      KR,
      Showkath.
      Author's profile photo Junjie Tang
      Junjie Tang

      Thank you Showkath Ali Naseem, again for sharing your experience:)

      Author's profile photo Mariam Id-Manssour
      Mariam Id-Manssour

      Hi Showkath Ali Naseem,

       

      thanks for your response. Effectively  the issue was related the client generation as the  CAP project uses JavaScript and  the generated client is TypeScript,so it is not recognized as a JS file.

      by adding the --skipValidation and  -t  to the generation command the files was generated correctly.

      Many thanks for your support and your collaboration to the SAP community with the series of interesting blog posts!

      Best regards,

      Mariam

      Author's profile photo Showkath Ali Naseem
      Showkath Ali Naseem
      Blog Post Author

      Hi,

       

      Yes, That's the reason why I included the command with the -t option in my post. I'll also include it in the main blog post to save readers from having to go through the comments. Thank you for taking the time to read my blog post and for your words of encouragement.

       

      KR,

      Showkath,