Skip to Content

Prepare User Authentication and Authorization (XSUAA) Setup

This tutorial shows you how to set up User Authentication and Authorization (XSUAA).
You will learn
  • How to set up User Authentication and Authorization (XSUAA)
iwonahahnIwona HahnOctober 17, 2022
Created by
iwonahahn
June 14, 2021
Contributors
iwonahahn
manjuX
slavipande
  • Step 1
    1. Run the following command in your project folder:

      Shell/Bash
      Copy
      cds add xsuaa --for production
      

      What happens here? Running cds add xsuaa does two things:

      • Adds the XSUAA service to the package.json file of your project
      • Creates the XSUAA security configuration for your project
    2. Check if the following lines have been added to the package.json in your cpapp project:

    JSON
    Copy
    {
      ...
      "cds": {
        "requires": {
          "[production]": {
            ...
            "auth": {
              "kind": "xsuaa"
            }
          }
        }
      }
    }
    
  • Step 2

    A scope represents a single authorization to perform an action. For example, there could be a scope “Read” and a scope “Write”. The scope allows a user to read or write a certain business object. Scopes can’t be assigned to users directly. They’re packaged into roles. For example, there could a role “Editor” consisting of the “Read” and “Write” scopes, while the role “Viewer” consists only of the “Read” scope.

    Check the file xs-security.json that was created in your cpapp project. The file contains the configuration of the XSUAA (XS User Authentication and Authorization service). The CAP server takes the authorization parts @(restrict ... ) from our service definition form and creates scopes and role templates from it. For example, it found the roles RiskViewer and RiskManager in the srv/risk-service.cds file:

    JavaScript
    Copy
      entity Risks @(restrict : [
                {
                    grant : [ 'READ' ],
                    to : [ 'RiskViewer' ]
                },
                {
                    grant : [ '*' ],
                    to : [ 'RiskManager' ]
                }
          ]) as projection on my.Risks;
    

    And created scopes and roles for both in the xs-security.json file:

    JSON
    Copy
    {
      "scopes": [
        {
          "name": "$XSAPPNAME.RiskViewer",
          "description": "Risk Viewer"
        },
        {
          "name": "$XSAPPNAME.RiskManager",
          "description": "Risk Manager"
        }
      ],
      "role-templates": [
        {
          "name": "RiskViewer",
          "description": "Risk Viewer",
          "scope-references": [
            "$XSAPPNAME.RiskViewer"
          ],
          "attribute-references": []
        },
        {
          "name": "RiskManager",
          "description": "Risk Manager",
          "scope-references": [
            "$XSAPPNAME.RiskManager"
          ],
          "attribute-references": []
        }
      ]
    }
    

    The result of this tutorial can be found in the prepare-xsuaa branch.

    Which annotation marks a service as secured?

Back to top