Developing with SAP Extension Suite

Setting Up SAP Authorization and Trust Management

Objectives
After completing this lesson, you will be able to:

After completing this lesson, you will be able to:

  • Set Up SAP Authorization and Trust Management

Set Up SAP Authorization and Trust Management

Scenario

You will set up SAP Authorization and Trust Management1 to secure your application.

Task Flow

In this exercise, you will perform the following tasks:

  • Enable authentication support.
  • Add XS advanced User Account and Authentication (XSUAA) security configuration.
  • Modify authorization settings in an MTA.yaml file.

Prerequisite

You have added restrictions and roles to your application.

Watching the Simulation and/or Performing the Steps

Note
In this exercise you find a simulation and a list of all steps, displayed in the simulation. Performing the steps below allows you to follow the simulation in your own trial account.

Set Up SAP Authorization and Trust Management

Exercise

Set Up SAP Authorization and Trust Management

Start Exercise

Task 1: Enable Authentication Support

Steps

  1. Enable Authentication Support.

    To enable authentication support in CAP for SAP BTP, the xssec and xsenv modules need to be installed.

    1. Open a new terminal in BAS (TerminalNew Terminal).

    2. In the terminal, run the following command to install the hdb module and automatically add it as a dependency into the package.json file of your project: npm i --save @sap/xssec @sap/xsenv

Task 2: Add Roles and Scopes

Steps

  1. Add roles and scopes.

    In the SAP BTP, Cloud Foundry environment, a single authorization is called scope. For example, there could be a scope "Read" and a scope "Write" that allow users to read or write respectively a certain business object. Scopes cannot be assigned to users directly. They are packaged into roles. For example, the role "Editor" could have "Read" and "Write" scopes, while the role "Viewer" could have the "Read" scope only.

    However, CAP recommends to use roles only and do a one-to-one mapping. See Lesson 1 of this Unit: Defining Restrictions and Roles in CDS we defined two roles.

    1. If not already done, read this lesson.

Task 3: Set Up Application Security with XSUAA Security Configuration

Steps

  1. Set Up Application Security with XSUAA Security Configuration.

    First you need to configure the XSUAA service2. Create the file xs-security.json in your RiskManagement project by executing the following in a terminal in BAS:

    cds compile srv --to xsuaa >xs-security.json

    The generated file contains the configuration of the XSUAA. Behind the scenes, CAP has taken the authorization parts @(restrict ... ) from your service definition and created scopes and role templates from it.

    For example, it found the roles RiskViewer and RiskManager in the srv/risk-service.cds file:

    Code snippet
    
    entity Risks @(restrict : [
       {
         grant : ['READ'],
         to : ['RiskViewer']
       },
       {
         grant : ['*'],
         to : ['RiskManager']
       }
     ]) as projection on rm.Risks;
    Copy code

    Then it created scopes and roles for both in the xs-security.json file in your project:

    Code snippet
    
    {
       "xsappname": "risk-management",
       "tenant-mode": "dedicated",
       "scopes": [
         {
           "name": "$XSAPPNAME.RiskViewer",
           "description": "RiskViewer"
         },
         {
           "name": "$XSAPPNAME.RiskManager",
           "description": "RiskManager"
         }
       ],
       "attributes": [],
       "role-templates": [
         {
           "name": "RiskViewer",
           "description": "generated",
           "scope-references": ["$XSAPPNAME.RiskViewer"],
           "attribute-references": []
         },
         {
           "name": "RiskManager",
           "description": "generated",
           "scope-references": ["$XSAPPNAME.RiskManager"],
           "attribute-references": []
         }
       ]
     }
    Copy code

Task 4: Adjust Authorization and Trust Management Service (XSUAA) in MTA

Steps

  1. Adjust Authorization and Trust Management Service (XSUAA) in MTA.

    The next step is to adjust the configuration of the Authorization and Trust Management Service in the mta.yaml to allow user login, authorization, and authentication checks.

    1. In your mta.yaml file, change the following:

      Code snippet
      
      _schema-version: '3.1'
       ...
       resources:
       ...
       # ------------------------------------------------------------
         - name: risk-management-xsuaa
       # ------------------------------------------------------------
         type: org.cloudfoundry.managed-service
         parameters:
           service: xsuaa
           service-plan: application
           path: ./xs-security.json
       //### BEGIN OF INSERT
           config:
             xsappname: 'risk-management-${space}'
             role-collections:
             - name: 'RiskManager-${space}'
               description: Manage Risks
               role-template-references:
               - $XSAPPNAME.RiskManager
             - name: 'RiskViewer-${space}'
               description: View Risks
               role-template-references:
               - $XSAPPNAME.RiskViewer
       //### END OF INSERT
      Copy code
    2. Save the file.

      The configuration for XSUAA is read from the xs-security.json file that was updated in the previous step.

      However, in the config element of the YAML file, values can be added and overwritten.

      The value xsappname gets overwritten with a Cloud Foundry space-dependent value ${space}. The name has to be unique within an SAP BTP subaccount.

      This allows multiple deployments of this application in different spaces of the same subaccount. This is useful when different members of a team want to try out the application and don't want to create a new subaccount for each team member.

      For a productive application, the xsappname should be explicitly set to the desired value.

      Further, you can add role collections using the xs-security.json file. Since role collections need to be unique in a subaccount like the xsappname, you can add it here and use the ${space} variable to make them unique like for the xsappname.

      Alternatively, role collections3 can be manually added in the SAP BTP cockpit.

Result

You added XSUAA security settings to your application. Now you need to add an application router (approuter) to route your application's requests from the web browser to either the service or the UI.

Reference Links: Setting Up SAP Authorization and Trust Management

For your convenience this section contains the external references in this lesson.

If links are used multiple times within the text, only the first location is mentioned in the reference table.

Reference Links: SAP Authorization and Trust Management

Ref#SectionContext text fragmentBrief descriptionLink
1Set Up SAP Authorization and Trust ManagementYou will set up SAP Authorization and Trust ManagementSAP Authorization and Trust Managementhttps://help.sap.com/viewer/df50977d8bfa4c9a8a063ddb37113c43/LATEST/en-US/aaaad9424e7442eab5d44b20f0ecbfd7.html
2Set Up Application Security with XSUAA Security Configurationconfigure the XSUAA XSUAA serviceXSUAA servicehttps://help.sap.com/viewer/4505d0bdaf4948449b7f7379d24d0f0d/LATEST/en-US/35d910ee7c7a445a950b6aad989a5a26.html
3Adjust Authorization and Trust Management Service (XSUAA) in MTAAlternatively, role collections can be manually addedRole collectionshttps://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/LATEST/en-US/0039cf082d3d43eba9200fe15647922a.html

Save progress to your learning plan by logging in or creating an account