SAP Learning Journey

Configuring Authorization and Trust Management for Production

Objectives
After completing this lesson, you will be able to:

After completing this lesson, you will be able to:

  • Add the UI and approuter module to the MTA

Configure XSUAA for Production

Business Scenario

On the SAP BTP, you will assign role collections to users in order to grant them access to certain applications and services.

Exercise Options

You can perform this exercise in two ways:

  1. Live Environment – using the instructions provided below, you can perform the tasks in the SAP BTP Free Tier account.
  2. Platform Simulation – follow the step-by-step instructions within the simulation.
Note

We are strongly recommending first performing the exercise in the live environment.

Live Environment

In this exercise, you will perform the following steps:

  1. Define role collections in the mta.yaml file.
  2. Re-build and re-deploy the .mtar file.

Prerequisites

Make sure that you have already set up an approuter.

Also, the automatic creation of the mta.yaml file added everything that is needed from the CAP side to the mta.yaml file:

  • The service & approuter
  • The database deployer
  • The dependency to the XSUAA and SAP HANA Cloud service.

Steps

  1. Update the XSUAA-Service Configuration.

    1. Recompile your service definition.

      Code snippet
      cds compile srv/ --to xsuaa > xs-security.json 
      Copy code
      This will update the xs-security.json file:
      Code snippet
      
{
  "scopes": [
   {
    "name": "$XSAPPNAME.RiskViewer",
    "description": "RiskViewer"
   },
   {
    "name": "$XSAPPNAME.RiskManager",
    "description": "RiskManager"
   }
  ],
  "attributes": [],
  "role-templates": [
  {
    "name": "RiskViewer",
    "description": "generated",
    "scope-references": [
    "$XSAPPNAME.RiskViewer"
  ],
  "attribute-references": []
  },
  {
    "name": "RiskManager",
    "description": "generated",
    "scope-references": [
    "$XSAPPNAME.RiskManager"
  ],
  "attribute-references": []
   }
 ]
}
      Copy code

      This only defines the role templates and its scopes. Currently, there are no role collections defined.

      Note
      We put the definition of the role collections into the mta.yaml file. We don't want to lose them when we recompile the xs-security.json file.

    2. Define the role collections in the mta.yaml file in the resource definition of the risk-management-uaa instance.

      Code snippet
      
role-collections:
- name: 'RiskManager-${space}'
  description: Manage Risks
  role-template-references:
  - $XSAPPNAME.RiskManager
- name: 'RiskViewer-${space}'
  description: View Risks
  role-template-references:
  - $XSAPPNAME.RiskViewer
      Copy code
      The entire definition should look like the following:
      Code snippet
      
resources:
  - name: risk-management-uaa
    type: org.cloudfoundry.managed-service
    parameters:
      service: xsuaa
      service-plan: application
      path: ./xs-security.json
      config:
        xsappname: risk-management-${org}-${space}
        tenant-mode: dedicated
        role-collections:
        - name: 'RiskManager-${space}'
          description: Manage Risks
          role-template-references:
          - $XSAPPNAME.RiskManager
        - name: 'RiskViewer-${space}'
          description: View Risks
          role-template-references:
          - $XSAPPNAME.RiskViewer
      Copy code
      Note

      Note, that you also have to add the oauth2 configuration. This is required.

      For more information, take a look into the SAP Note SAP Note 2864831.

  2. Re-Build and Re-Deploy the .mtar File.

    1. Build your project with the MTA Build Tool (MBT):

      Code snippet
       mbt build -t gen --mtar mta.tar
      Copy code

      Make sure you're in the root folder of your project.

    2. Deploy your project to SAP BTP:

      Code snippet
      cf deploy gen/mta.tar 
      Copy code

      Additional Documentation: How to build an MTA archive from the project sources1.

    3. When the deployment is finished, check the deployment log for a line saying:

      Application "risk-management" started and available at "<some_URL>"

      For example, like in the following screenshot:

      This is the URL of the Approuter that will take care of all the requests to your application.

    4. Copy the URL and open it in a new browser tab. In the background, the approuter authenticates your user and provides it with the authorizations that have been assigned to the user. Open the Risks application tile and try to retrieve data by selecting the Go button.

      As your user does not have the required application roles yet, the result should look like the following:

    Platform Simulation

    Click on the Start button below to open a simulation of the platform. Then follow the step-by-step instructions to assign role collection to users.

    ExerciseStart Exercise

Result

You have defined the role collections in the mta.yaml file. Next, you will assign the required role collections to your user and check if your user regains access to the application data.

Reference Links: Adding the UI and Approuter Module to the MTA

For your convenience, this section contains the external references in this lesson.

If links are used multiple times within the text, only the first location is mentioned in the reference table.

Ref#Section   
1Re-Build and Re-Deploy the .mtar FileAdditional Documentation: How to build an MTA archive from the project sourcesBuild an MTA archivehttps://sap.github.io/cloud-mta-build-tool/usage/#how-to-build-an-mta-archive-from-the-project-sources

Save progress to your learning plan by logging in or creating an account

Login or Register