Skip to Content

Implement Roles and Authorization Checks In CAP

0 %
Implement Roles and Authorization Checks In CAP

Implement Roles and Authorization Checks In CAP

November 16, 2021
Created by
June 14, 2021
This tutorial shows you how to enable authentication and authorization for your CAP application.

You will learn

  • How to enable authentication support
  • How to add role restrictions to entities
  • How to add a local user for testing
  • How to access the application with a user and password
QR code

To start with this tutorial use the result in the launchpage branch.

Step 1: Enable authentication support

To enable authentication support in CAP, the passport module needs to be installed. Passport is Express-compatible authentication middleware for Node.js.

Additional Documentation:

Authentication for CAP Node.js SDK

  1. Navigate to your project folder.

  2. Install the passport module.

    npm install passport
Which NPM module is used to implement authentication?

Step 2: Adding CAP role restrictions to entities
  1. Open the file srv/risk-service.cds.

  2. Add the following restrictions block (@(...)) to your Risks and Mitigations entities.

using { sap.ui.riskmanagement as my } from '../db/schema';
@path: 'service/risk'
service RiskService {
  entity Risks @(restrict : [
                grant : [ 'READ' ],
                to : [ 'RiskViewer' ]
                grant : [ '*' ],
                to : [ 'RiskManager' ]
        ]) as projection on my.Risks;
    annotate Risks with @odata.draft.enabled;
  entity Mitigations @(restrict : [
                grant : [ 'READ' ],
                to : [ 'RiskViewer' ]
                grant : [ '*' ],
                to : [ 'RiskManager' ]
        ]) as projection on my.Mitigations;
    annotate Mitigations with @odata.draft.enabled;

With this change, a user with the role RiskViewer can view risks and mitigations, and a user with role RiskManager can view and change risks and mitigations.

Log on to answer question

Step 3: Add Users for local testing

Since the authorization checks have been added to the CAP model, they apply not only when deployed to the cloud but also for local testing. Therefore, we need a way to log in to the application locally.

CAP offers a possibility to add local users for testing as part of the cds configuration. In this tutorial, we use the .cdsrc.json file to add the users.

  1. Copy the file templates/cap-roles/.cdsrc.json to your project directory cpapp. If you’re asked to replace an existing file with the same name, confirm.

    You have to make hidden files visible in your operating system in order to see the file.

    The file defines two users and

  2. Let’s look at the example.

      "[development]": {
        "auth": {
          "passport": {
            "users": {
              "": "...",
              "": {
                "password": "initial",
                "ID": "",
                "roles": [

    The user is defined by their ID, which happens to be the email address here, but it could also be a user ID. The user has an email, a password parameter, and a roles parameter. Keep in mind that the CAP roles and the Cloud Foundry roles and scopes are not the same thing.

Log on to answer question

Step 4: Access the Risks application with password

When accessing the Risks service in your browser, you get a basic auth popup now, asking for your user and password. You can use the two users to log in and see that it works.

  1. With cds watch running, go to http://localhost:4004/launchpage.html.

  2. Choose Risks and choose Go.

  3. Enter Username:

  4. Enter Password: initial.

Sign In Risk Application

You can now access the Risks application.

Access Risk Application

Currently there’s no logout functionality. You can clear your browser’s cache or simply close all browser windows to get rid of the login data in your browser. For Google Chrome, restart your browser (complete shutdown and restart) by entering chrome://restart in the address line.

Log on to answer question

The result of this tutorial can be found in the cap-roles branch.

Give us 55 seconds of your time to help us improve

Next Steps

Back to top