Business Case
Your company is developing a set of applications on the SAP Business Technology Platform, Cloud Foundry environment. As the applications are running in the cloud, you want to protect them from unauthorized access. The SAP Authorization and Trust Management service in conjunction with the Extended Services - User Account and Authentication (XSUAA) service provide all the required features.
Manage User Authorizations
The SAP Authorization and Trust Management service lets you manage user authorizations and trust to identity providers. Identity providers are the user base for applications. You can use an identity authentication tenant, an SAP on-premise system, or a custom corporate identity provider. User authorizations are managed using technical roles at the application level, which can be aggregated into business-level groups and role collections for large-scale cloud scenarios.
Platform Users Versus Business Users
- Platform Users
Platform users are usually developers, administrators, or operators who deploy, administer, and troubleshoot applications and services on SAP BTP.
For platform users, the default identity provider is SAP ID service.
- Business Users
- Business users use the applications that are deployed to SAP BTP. For example, the end users of your deployed application or users of subscribed apps or services, such as SAP Business Application Studio or SAP Web IDE, are business users.
Extended Services - User Account and Authentication (XSUAA) Service
The Extended Services - User Account and Authentication (XSUAA) service is one of the most important components to deal with when developing your own applications on Cloud Foundry. It authenticates and authorizes your users and assigns the right privileges to your user’s session so your application can do the following:
- Identify the user by Email, UserId, First, and Lastname.
- Check its roles (scopes) to decide if a user is allowed to do something or prohibit its action.
The XSUAA is an internal development of SAP. SAP took the base of the open source UAA OAuth2 Provider of Cloud Foundry and extended it with SAP specific features to be used in SAP applications. One important thing is that the XSUAA does NOT store "real" users. This is why the XSUAA needs to trust an external Identity Provider (IdP).
Note
This graphic only applies to SAP Business Technology Platform cloud management tools Feature Set B. Check out User and Member Management in the SAP Help Portal pages to better understand the differences between Feature Set A and Feature Set B in regard to user management.In Feature Set B, your SAP BTP global account has its own XSUAA tenant. This XSUAA tenant by default has a trust relationship to the SAP ID service. The SAP ID service manages a large base of users, that have created a user account with SAP. You can add users that exist in the SAP ID service as members to your global account and subaccount. For these users to be able to perform administrative tasks, they need to be assigned with corresponding role collections. There is a set of default platform role collections, like Global Account Administrator, Global Account Viewer, Subaccount Administrator, or Cloud Connector Administrator that you can use for the purpose of assigning SAP BTP account management authorizations. See this SAP Help Portal page for further information on the default role collections for account management.
Contrary to the platform users from the SAP ID service, your business users can also be provided via your own corporate identity provider. These are the users you want to provide access to your business applications. These might be SaaS applications provided by SAP, like SAP Business Application Studio or SAP Workflow Management, or your own applications that you develop on the SAP BTP. The business applications have their own role collections, like - for example, Business_Application_Studio_Developer, WorkflowManagementAdmin, or any custom role collection that you create for your application.
The following sections shed more light on the terms role collection, role, and scope, and their relationship to each other.
Role Collections, Roles, and Scopes
The following figure, Role Collections, Roles, and Scopes, shows the relationships between role collections, roles, and scopes.
- Scopes
Scopes are arbitrary values that express authorizations / access rights in an application or service. Scopes need to be prefixed with an xsappname to make them uniquely identifiable.
- Roles
Roles are entities that hold several scopes. Scopes can be put in multiple roles, so you are not limited to have scopes sitting in just one role.
- Role Collections
Role collections contain one or more roles. A role can be used in multiples. But it is totally fine to have, for example, a called Admin that only has an admin role.
Role collections are stored as an assignment in the XSUAA and are THE entity that can be assigned to a certain business user.
How Does it Work in Practice?
The following section is a short summary of the official help page.
Watch this video to know more about scope, role collections, and roles. In the video you can see three different personas. One is the developer working within a project and space. The other is an admin taking care of the CF account as a security admin.
What is xs-security.json?
To simplify things, let’s just call the xs-security.json the "declaration of your app’s security". The following xs-security.json is an excerpt of the risk-management application being built during the exercises.
12345678910111213141516171819202122232425262728293031323334
{
"xsappname": "risk-management",
"tenant-mode": "dedicated",
"scopes": [
{
"name": "$XSAPPNAME.RiskViewer",
"description": "RiskViewer"
},
{
"name": "$XSAPPNAME.RiskManager",
"description": "RiskManager"
}
],
"attributes": [],
"role-templates": [
{
"name": "RiskViewer",
"description": "generated",
"scope-references": [
"$XSAPPNAME.RiskViewer"
],
"attribute-references": []
},
{
"name": "RiskManager",
"description": "generated",
"scope-references": [
"$XSAPPNAME.RiskManager"
],
"attribute-references": []
}
]
}
You have to tell the XSUAA service how to call your application (xsappname) and further define your scopes and role-templates. This can also be defined in the mta.yaml file as well. The scopes are being used within the application to check concrete permissions whenever a user tries to perform a certain action.
Summary
You have now gained a general understanding of the SAP Authorization and Trust Management service, the relevance of the Extended Services - User Account and Authentication (XSUAA) service, and the basic concepts of user management and assignment. You know what the xs-security.json application security descriptor file is used for and how it relates to scopes, roles, and the XSUAA service. You also know where to look for additional information.
Further Reading
- Parts of the text and graphics were taken from the blog post Demystifying XSUAA in SAP Cloud Foundry. Take a look at the blog for even more information. The explanations in regard to user management in the blog post refer to the SAP BTP cloud management tools, Feature Set A.
- The Application Security Descriptor