A scope represents a single authorization to perform an action. For example, there could be a scope “Read” and a scope “Write”. The scope allows a user to read or write a certain business object. Scopes can’t be assigned to users directly. They’re packaged into roles. For example, there could a role “Editor” consisting of the “Read” and “Write” scopes, while the role “Viewer” consists only of the “Read” scope.
Check the file xs-security.json that was created in your cpapp project. The file contains the configuration of the XSUAA (XS User Authentication and Authorization service). The CAP server takes the authorization parts @(restrict ... ) from our service definition form and creates scopes and role templates from it. For example, it found the roles RiskViewer and RiskManager in the srv/risk-service.cds file:
entity Risks @(restrict : [
{
grant : [ 'READ' ],
to : [ 'RiskViewer' ]
},
{
grant : [ '*' ],
to : [ 'RiskManager' ]
}
]) as projection on my.Risks;
And created scopes and roles for both in the xs-security.json file:
{
"scopes": [
{
"name": "$XSAPPNAME.RiskViewer",
"description": "Risk Viewer"
},
{
"name": "$XSAPPNAME.RiskManager",
"description": "Risk Manager"
}
],
"role-templates": [
{
"name": "RiskViewer",
"description": "Risk Viewer",
"scope-references": [
"$XSAPPNAME.RiskViewer"
],
"attribute-references": []
},
{
"name": "RiskManager",
"description": "Risk Manager",
"scope-references": [
"$XSAPPNAME.RiskManager"
],
"attribute-references": []
}
]
}
The result of this tutorial can be found in the prepare-xsuaa branch.
Manju ShankarDecember 6, 2022
June 14, 2021
Svetoslav Pandeliev