Skip to Content

Prepare User Authentication and Authorization (XSUAA) Setup

Beginner
5 min.
SAP Cloud Application Programming Model, Beginner, Node.js, SAP Fiori, Tutorial, SAP Business Technology Platform, SAP BTP, Kyma runtime
This tutorial shows you how to set up User Authentication and Authorization (XSUAA).
You will learn
  • How to set up User Authentication and Authorization (XSUAA)
manjuXManju ShankarDecember 6, 2022
Created by
iwonahahn
July 5, 2022
Contributors
maximilianone
iwonahahn
manjuX

Prerequisites

  • Step 1

    1. Run the following command in your project folder:

      Shell/Bash
      Copy
      cds add xsuaa --for production

      What happens here? Running cds add xsuaa does two things:

      • Adds the XSUAA service to the package.json file of your project
      • Creates the XSUAA security configuration (that is, the file xs-security.json) for your project

    2. Check if the following lines have been added to the package.json in your cpapp project:

      JSON
      Copy
      {
  ...
  "cds": {
    "requires": {
      "[production]": {
        ...
        "auth": {
          "kind": "xsuaa"
        }
      }
    }
  }
}
    Log in to complete tutorial
  • Step 2

    A scope represents a single authorization to perform an action. For example, there could be a scope “Read” and a scope “Write”. The scope allows a user to read or write a certain business object. Scopes can’t be assigned to users directly. They’re packaged into roles. For example, there could be a role “Editor” consisting of the “Read” and “Write” scopes, while the role “Viewer” consists only of the “Read” scope.

    Check the file xs-security.json that was created in your cpapp project. The file contains the configuration of the XSUAA (SAP Authorization and Trust Management Service). The CAP server takes the authorization parts @(restrict ... ) from our service definition form and creates scopes and role templates from it. For example, it found the roles RiskViewer and RiskManager in the srv/risk-service.cds file:

    JavaScript
    Copy
      entity Risks @(restrict : [
            {
                grant : [ 'READ' ],
                to : [ 'RiskViewer' ]
            },
            {
                grant : [ '*' ],
                to : [ 'RiskManager' ]
            }
      ]) as projection on my.Risks;

    And created scopes and roles for both in the xs-security.json file:

    JSON
    Copy
    {
  "scopes": [
    {
      "name": "$XSAPPNAME.RiskViewer",
      "description": "Risk Viewer"
    },
    {
      "name": "$XSAPPNAME.RiskManager",
      "description": "Risk Manager"
    }
  ],
  "role-templates": [
    {
      "name": "RiskViewer",
      "description": "Risk Viewer",
      "scope-references": [
        "$XSAPPNAME.RiskViewer"
      ],
      "attribute-references": []
    },
    {
      "name": "RiskManager",
      "description": "Risk Manager",
      "scope-references": [
        "$XSAPPNAME.RiskManager"
      ],
      "attribute-references": []
    }
  ]
}

    How can you add role checks to your CAP service?

    Log in to complete tutorial
Back to Top
Back to top