Skip to Content

Implement Roles and Authorization Checks In CAP

This tutorial shows you how to enable authentication and authorization for your CAP application.
You will learn
  • How to add role restrictions to entities
  • How to add a local user for testing
  • How to access the application with a user and password
iwonahahnIwona HahnOctober 17, 2022
Created by
June 14, 2021


  • Step 1
    1. Open the file srv/risk-service.cds.

    2. Add the following restrictions block (@(...)) to your Risks and Mitigations entities.

    using { sap.ui.riskmanagement as my } from '../db/schema';
    @path: 'service/risk'
    service RiskService {
      entity Risks @(restrict : [
                    grant : [ 'READ' ],
                    to : [ 'RiskViewer' ]
                    grant : [ '*' ],
                    to : [ 'RiskManager' ]
            ]) as projection on my.Risks;
        annotate Risks with @odata.draft.enabled;
      entity Mitigations @(restrict : [
                    grant : [ 'READ' ],
                    to : [ 'RiskViewer' ]
                    grant : [ '*' ],
                    to : [ 'RiskManager' ]
            ]) as projection on my.Mitigations;
        annotate Mitigations with @odata.draft.enabled;

    With this change, a user with the role RiskViewer can view risks and mitigations, and a user with role RiskManager can view and change risks and mitigations.

  • Step 2

    Since the authorization checks have been added to the CAP model, they apply not only when deployed to the cloud but also for local testing. Therefore, we need a way to log in to the application locally.

    CAP offers a possibility to add local users for testing as part of the cds configuration. In this tutorial, we use the .cdsrc.json file to add the users.

    1. Copy the file templates/cap-roles/.cdsrc.json to your project directory cpapp. If you are asked to replace an existing file with the same name, confirm.

      You have to make hidden files visible in your operating system in order to see the file.

      The file defines two users and

    2. Let’s look at the example.

        "[development]": {
          "auth": {
            "passport": {
              "users": {
                "": "...",
                "": {
                  "password": "initial",
                  "ID": "",
                  "roles": [

      The user is defined by their ID, which happens to be the email address here, but it could also be a user ID. The user has an email, a password parameter, and a roles parameter. Keep in mind that the CAP roles and the Cloud Foundry roles and scopes are not the same thing.

  • Step 3

    When accessing the Risks service in your browser, you get a basic auth popup now, asking for your user and password. You can use the two users to log in and see that it works.

    1. With cds watch running, go to http://localhost:4004/launchpage.html.

    2. Choose Risks and choose Go.

    3. Enter Username:

    4. Enter Password: initial.

    Sign In Risk Application

    You can now access the Risks application.

    Access Risk Application

    Currently there’s no logout functionality. You can clear your browser’s cache or simply close all browser windows to get rid of the login data in your browser. For Google Chrome, restart your browser (complete shutdown and restart) by entering chrome://restart in the address line.

    The result of this tutorial can be found in the cap-roles branch.

    After adding the CAP role restriction to entities, what can a user with role `RiskViewer` do?

Back to top