Developing with SAP Extension Suite

Describing Authorization and Trust Management

Objectives
After completing this lesson, you will be able to:

After completing this lesson, you will be able to:

  • Describe the SAP Authorization and Trust Management Service

SAP Authorization and Trust Management Service

Usage Scenario

Your company is developing a set of applications on the SAP Business Technology Platform, Cloud Foundry environment. As the applications are running in the cloud, you want to protect them from unauthorized access. The SAP Authorization and Trust Management service in conjunction with the Extended Services - User Account and Authentication (XSUAA) service provide all the required features.

Manage User Authorizations

The SAP Authorization and Trust Management service lets you manage user authorizations and trust to identity providers. Identity providers are the user base for applications. You can use an identity authentication tenant, an SAP on-premise system, or a custom corporate identity provider. User authorizations are managed using technical roles at the application level, which can be aggregated into business-level groups and role collections for large-scale cloud scenarios.

Platform Users versus Business Users

Extended Services - User Account and Authentication (XSUAA) service

The Extended Services - User Account and Authentication (XSUAA) service is one of the most important components to deal with when developing your own applications on Cloud Foundry. It authenticates and authorizes your users and assigns the right principals to your user’s session so your application can:

  • Identify the user by Email, UserId, First and Lastname.
  • Check its roles (scopes) to decide if a user is allowed to do something or prohibit its action.

The XSUAA is an internal development of SAP. SAP took the base of the open source UAA OAuth2 Provider of Cloud Foundry and extended it with SAP specific features to be used in SAP applications. One important thing is that the XSUAA does NOT store "real" users. This is why the XSUAA needs to trust an external Identity Provider (IdP).

Note
This graphic only applies to SAP Business Technology Platform cloud management tools Feature Set B. Check out User and Member Management in the SAP Help Portal pages to better understand the differences between Feature Set A and Feature Set B in regard to user management.

In Feature Set B, your SAP BTP global account has its own XSUAA tenant. This XSUAA tenant by default has a trust relationship to the SAP ID Service. The SAP ID Service manages a large base of users, that have created a user account with SAP. You can add users, that exist in the SAP ID Service, as members to your global and subaccount. In order for these users to be able to perform administrative tasks, they need to be assigned with corresponding role-collections. There is a set of default platform role-collections, like Global Account Administrator, Global Account Viewer, Subaccount Administrator, or Cloud Connector Administrator that you can use for the purpose of assigning SAP BTP account management authorizations. See this SAP Help Portal page for further information on the default role collections for account management.

Contrary to the platform users from the SAP ID Service, your business users can also be provided via your own corporate identity provider. These are the users you want to provide access to your business applications. These might be SaaS applications provided by SAP, like SAP Business Application Studio or SAP Workflow Management, or your own applications that you develop on the SAP BTP. The business applications have their own role-collections, like -for example- Business_Application_Studio_Developer, WorkflowManagementAdmin, or any custom role-collection that you create for your application.

It is planned by the end of 2021 to also support corporate identity providers for platform users.

The following sections shed a bit more light on the terms role-collection, role, and scope, and their relationship to each other.

Role-Collections, Roles, and Scopes

How Does it Work in Practice?

The following section is a short summary of the official help page.

Watch this video to know more about scope, role-collections, and roles. In the video you can see three different personas. One is the developer working within a project and space. The other is an admin taking care of the CF account as a security admin.

What is xs-security.json?

To simplify things, let’s just call the xs-security.json the "declaration of your app’s security". The following xs-security.json is an excerpt of the risk-management application being built in the SAP Extension Suite fundamentals course.

Code snippet

{
   "xsappname": "risk-management",
   "tenant-mode": "dedicated",
   "scopes": [
     {
       "name": "$XSAPPNAME.RiskViewer",
       "description": "RiskViewer"
     },
     {
       "name": "$XSAPPNAME.RiskManager",
       "description": "RiskManager"
     }
   ],
   "attributes": [],
   "role-templates": [
     {
       "name": "RiskViewer",
       "description": "generated",
       "scope-references": [
         "$XSAPPNAME.RiskViewer"
       ],
       "attribute-references": []
     },
     {
       "name": "RiskManager",
       "description": "generated",
       "scope-references": [
         "$XSAPPNAME.RiskManager"
        ],
       "attribute-references": []
     }
   ]
 }
Copy code

You have to tell the XSUAA service how to call your application (xsappname) and further define your scopes and role-templates. The scopes are being used within the application to check concrete permissions whenever a user tries to perform a certain action.

Summary

You have now gained an overview over the SAP Authorization and Trust Management service, the relevance of the Extended Services - User Account and Authentication (XSUAA) service and the basic concepts of user management and role-collection assignment. You know what the xs-security.json application security descriptor file is used for and how it relates to scopes, roles, and the XSUAA service. You also know where to look for additional information.

Further Reading

Save progress to your learning plan by logging in or creating an account