Defining CDS Restrictions and Roles

Business Scenario

Before deploying to our productive SAP BTP environment, you want to ensure that only permitted users can access your app to view and edit data. Therefore, you will first add authorizations to your CAP service and then add two mock users to further test your app locally.

Exercise Options

You can perform this exercise in two ways:

Live Environment – using the instructions provided below, you can perform the tasks in the SAP BTP Free Tier account
Platform Simulation – follow the step-by-step instructions within the simulation

Note

We are strongly recommending first performing the exercise in the live environment.

Live Environment

In this exercise, you will perform the following steps:

Implement authentication support - roles and restrictions - for an application
Add local users to test the authentication implementation
Access the Risk Application with a User and Password

Prerequisite

Make sure that you have successfully deployed your application manually.

Steps

Add CAP Role Restrictions to Entities.

In this step, you will add authorizations to the Risks service. You will add two different roles RiskManager and RiskViewer with different access scope.

Open the file srv/risk-service.cds.

Change the code as shown below and add the restrictions (@(...)) to block to your Risks and Mitigations entities. You have to delete code - anything between //### BEGIN OF DELETE and //### END OF DELETE - and add code - anything between //### BEGIN OF INSERT and //### End OF INSERT.

Code snippet

using {riskmanagement as rm} from '../db/schema';

 /**
   * For serving end users
   */
 service RiskService @(path : 'service/risk') {
 //### BEGIN OF DELETE
   entity Risks as projection on rm.Risks;
 //### END OF DELETE
 //### BEGIN OF INSERT
   entity Risks @(restrict : [
       {
          grant : [ 'READ' ],
          to : [ 'RiskViewer' ]
       },
       {
           grant : [ '*' ],
           to : [ 'RiskManager' ]
       }
   ]) as projection on rm.Risks;
 //### END OF INSERT
   annotate Risks with @odata.draft.enabled;
 //### BEGIN OF DELETE
   entity Mitigations as projection on rm.Mitigations;
 //### END OF DELETE
 //### BEGIN OF INSERT
   entity Mitigations @(restrict : [
       {
         grant : [ 'READ' ],
         to : [ 'RiskViewer' ]
       },
       {
         grant : [ '*' ],
         to : [ 'RiskManager' ]
       }
   ]) as projection on rm.Mitigations;
 //### END OF INSERT
     annotate Mitigations with @odata.draft.enabled;
   @readonly entity BusinessPartners as projection on rm.BusinessPartners;
 }

Copy code

Save the file.

With this change, users who are assigned the role RiskViewer can view ("READ") risks and mitigations. Users who are assigned the role RiskManager can view and change risks and mitigations ("*").

Add Users for Local Testing.
Since the authorization checks have been added to the CAP model, they apply not only when deployed to the cloud but also for local testing. Therefore, you will need a way to log in to the application locally.
CAP allows you to add local users for testing as part of the cds configuration. In this tutorial, we use the .cdsrc.json file to add the users.
The .cdsrc.json file can be used to store project configurations, like in the package.json file. Learn more here¹.
1. In the project, go to the file .cdsrc.json and open it for editing.
2. In the editor, replace its content with the following lines:
  Code snippet
  { "[development]": { "auth": { "passport": { "strategy": "mock", "users": { "risk.viewer@tester.sap.com": { "password": "initial", "ID": "riskviewer", "userAttributes": { "email": "risk.viewer@tester.sap.com" }, "roles": ["RiskViewer"] }, "risk.manager@tester.sap.com": { "password": "initial", "ID": "riskmanager", "userAttributes": { "email": "risk.manager@tester.sap.com" }, "roles": ["RiskManager"] } } } } } }
  Copy code
3. Save the file.
  The file defines two users, riskviewer and riskmanager. Let's take a look at the riskmanager example.
  The user is defined by an ID, which can be any identifier for a user. The user has an email, a password parameter, and a roles parameter.
Access the Risk Application with a User and Password.
When accessing the Risks or the Mitigations service in the browser, you get a basic authorization pop-up window, asking for your user and password. You can use both users that you defined in the previous step to log in and see how this works.
1. In the tab with the running application, navigate back to the launch page, and press refresh in the browser.
2. Choose the Risks tile and in the app press Go.
3. In the pop-up, enter the Usernameriskmanager.
4. Enter the Passwordinitial.
5. You can now access the Risks application.
Caveat
There’s no log out functionality yet. To clear the basic authentication login data from the browser cache, you can either clear the browser cache or simply close all browser windows.
Platform Simulation
Click on the Start button below to open a simulation of the platform. Then follow the step-by-step instructions to add authorizations and mock users.
ExerciseStart Exercise

Result

You enabled authentication using passport.js 2. You also added roles and restrictions to control access to your application. In the next lesson, you will set up SAP Authorization and Trust Management.

Ref#	Section	Context text fragment	Brief description	Link
1	Add Users for Local Testing	Learn more here.	CAP project configuration	https://cap.cloud.sap/docs/node.js/cds-env#project-settings
2	Summary	You enabled authentication using passport.js	Passport.js	http://www.passportjs.org/

Defining CDS Restrictions and Roles

Define Restrictions and Roles in CDS

Business Scenario

Exercise Options

Live Environment

Prerequisite

Steps

Caveat

Platform Simulation

Result

Reference Links: Defining CDS Restrictions and Roles