Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Cloud Logging Service: Configuration of a read-only user

TomSchuck
Associate
Associate
‎02-14-2024 8:23 AM

This blogpost deals with configuration of a read-only user for a running instance of SAP Cloud Logging service, to avoid providing admin rights to everyone. This can be an inspiration for a refined role management.


Prerequisites

Ensure you have created an SAP Cloud logging service-instance and linked it with an Identity Provider (as described in Prerequisites). 

Procedure

Authorization management requires changes in Identity Authentication and OpenSearch dashboards UI.

Create a Group and Assign Users in Identity Authentication

To manage permissions, user groups need to be provided by the Identity Provider. Managing user groups and adding users to them can be done via the Identity Authentication admin UI, see also

Assign the read-only Role to Users in OpenSearch

The assignment of the read-only role to users using a backend role can be done from the OpenSearch Dashboards UI. Below procedure maps the backend role "cloud-logging-read-only" to the OpenSearch roles "readall" and "global_tenant_read_access". These roles are delivered by default to SAP Cloud Logging, however, one may create custom roles on demand. As a result, all users with the backend role "cloud-logging-read-only" will automatically obtain the necessary OpenSearch roles for read-only access.

  • Login to OpenSearch Dashboards with admin permissions.
  • Open the Dev Tools in the OpenSearch Dashboards menu
  • Paste below into the console.
PUT _opendistro/_security/api/rolesmapping/global_tenant_read_access
{
  "backend_roles": ["cloud-logging-read-only"]
}
PUT _opendistro/_security/api/rolesmapping/readall
{
  "backend_roles": ["cloud-logging-read-only"]
}

The above ready-to-use code snippet assumes the backend role name to be cloud-logging-read-only. Otherwise, the role name needs to be changed in both lines of code accordingly: "backend_roles": ["change me"]

  • Trigger the execution by clicking the triangle symbol to apply the changes to the OpenSearch Dashboards configuration.

The recommended way for mapping roles to users is utilizing backend roles, corresponding directly to groups as termed by Identity Providers.

Upon sign-in, any OpenSearch role with a backend role congruent to a user's backend roles is immediately assigned to them. Next, select a name for your read-only backend role, for example, cloud-logging-read-only, and assign it to users designated for read-only access: For users signing in using an Identity Provider, user groups (= backend roles) need to be provided by the Identity Provider. Typically, you can manage user groups and add users to them directly from the Identity Provider admin UI.

Verify Setup

Login as a read-only user, equipped with the backend role/group configured in the preceding step. Also, ensure that the user is not affiliated with the admin group or any other group carrying permissions that may potentially interfere.

To review your assigned roles and backend roles, select the account icon located in the top right corner and opt for View roles and identities.

You should see at least the following entries in the Roles section:

  • readall
  • global_tenant_read_access

Among others, the cloud-logging-read-only should be present in the Backend roles section.

Result

Users assigned to the group have read-only access to the SAP Cloud Logging service instance which enables them to view observability data without having the rights to change the service instance or its data.
If this is not sufficient for your use-case, this tutorial provides a blueprint for an even more refined role management.

Labels in this area
Popular Blog Posts