Skip to Content

Prepare User Authentication and Authorization (XSUAA) Setup

test
0 %
Prepare User Authentication and Authorization (XSUAA) Setup
Details

Prepare User Authentication and Authorization (XSUAA) Setup

July 19, 2021
Created by
June 14, 2021
This tutorial shows you how to set up User Authentication and Authorization (XSUAA).

You will learn

  • How to enable authentication support
  • How to set up user authentication and authorization (XSUAA)
QR code

To continue with this tutorial you can find the result of the previous tutorial in the cp/hana branch.


Step 1: Enable authentication support

The enable authentication support in CAP for SAP BTP, the xssec and xsenv modules need to be installed. If cds watchis still running stop it with Ctrl+C. In your project folder execute:

npm i --save  @sap/xssec  @sap/xsenv
Log on to answer question

Step 2: Add UAA service

We need to tell CAP that XSUAA is used. For this open the package.json in your cpapp project and add the following lines:

{
  ...
  "cds": {
    "requires": {
      "db": {
        "kind": "sql"
      },
      "uaa": {
        "kind": "xsuaa",
        "credentials": {}
      }
    }
  }
}

Make sure you have pasted the new lines within the "requires": { section and not outside of it. This can cause some errors in the next steps.

Log on to answer question

Step 3: Roles and scopes

In the context of Cloud Foundry, a single authorization is called scope. For example, there could be a scope “Read” and a scope “Write”. The scope allows a user to read or write a certain business object. Scopes can’t be assigned to users directly. They’re packaged into roles. For example, there could a role “Editor” consisting of the “Read” and “Write” scopes, while the role “Viewer” consists only of the “Read” scope.

However, CAP recommends using roles only, and creating one-to-one mappings between roles and scopes. We defined two roles like in section Authorization in the CAP documentation.

Log on to answer question

Step 4: XSUAA security configuration

Create the file xs-security.json in your cpapp project by executing:

cds compile srv --to xsuaa >xs-security.json

The file contains the configuration of the XSUAA (XS User Authentication and Authorization service).

The CAP server takes the authorization parts @(restrict ... ) from our service definition form and creates scopes and role templates from it.

For example, it found the roles RiskViewer and RiskManager in the srv/risk-service.cds file:

  entity Risks @(restrict : [
            {
                grant : [ 'READ' ],
                to : [ 'RiskViewer' ]
            },
            {
                grant : [ '*' ],
                to : [ 'RiskManager' ]
            }
      ]) as projection on my.Risks;

And created scopes and roles for both in the xs-security.json file:

{
  "xsappname": "cpapp",
  ...
  "scopes": [
    {
      "name": "$XSAPPNAME.RiskViewer",
      "description": "Risk Viewer"
    },
    {
      "name": "$XSAPPNAME.RiskManager",
      "description": "Risk Manager"
    }
  ],
  "role-templates": [
    {
      "name": "RiskViewer",
      "description": "Risk Viewer",
      "scope-references": [
        "$XSAPPNAME.RiskViewer"
      ],
      "attribute-references": []
    },
    {
      "name": "RiskManager",
      "description": "Risk Manager",
      "scope-references": [
        "$XSAPPNAME.RiskManager"
      ],
      "attribute-references": []
    }
  ]
}
Which annotation marks a service as secured?
×

The result of this tutorial can be found in the cp/roles branch.


Next Steps

Back to top