Skip to Content

Prepare User Authentication and Authorization (XSUAA) Setup

test
0 %
Prepare User Authentication and Authorization (XSUAA) Setup
Details

Prepare User Authentication and Authorization (XSUAA) Setup

November 16, 2021
Created by
June 14, 2021
This tutorial shows you how to set up User Authentication and Authorization (XSUAA).

You will learn

  • How to enable authentication support
  • How to set up user authentication and authorization (XSUAA)
QR code

To start with this tutorial use the result in the hana-cloud-setup branch.


Step 1: Enable authentication support

To enable authentication support in CAP for SAP BTP, the xssec module needs to be installed. If cds watchis still running stop it with Ctrl + C. In your project folder execute:

npm install --save  @sap/xssec
Log on to answer question

Step 2: Add UAA service

We need to tell CAP that XSUAA is used. For this open the package.json in your cpapp project and add the following lines.

{
  ...
  "cds": {
    "requires": {
      "db": {
        "kind": "sql"
      },
      "uaa": {
        "kind": "xsuaa",
        "credentials": {}
      }
    }
  }
}

Make sure you have pasted the new lines within the "requires": { section and not outside of it. This can cause some errors in the next steps.

Log on to answer question

Step 3: Roles and scopes

In the context of Cloud Foundry, a single authorization is called scope. For example, there could be a scope “Read” and a scope “Write”. The scope allows a user to read or write a certain business object. Scopes can’t be assigned to users directly. They’re packaged into roles. For example, there could a role “Editor” consisting of the “Read” and “Write” scopes, while the role “Viewer” consists only of the “Read” scope.

Log on to answer question

Step 4: XSUAA security configuration

Create the file xs-security.json in your cpapp project by executing the following command.

cds compile srv --to xsuaa >xs-security.json

The file contains the configuration of the XSUAA (XS User Authentication and Authorization service).

The CAP server takes the authorization parts @(restrict ... ) from our service definition form and creates scopes and role templates from it.

For example, it found the roles RiskViewer and RiskManager in the srv/risk-service.cds file:

  entity Risks @(restrict : [
            {
                grant : [ 'READ' ],
                to : [ 'RiskViewer' ]
            },
            {
                grant : [ '*' ],
                to : [ 'RiskManager' ]
            }
      ]) as projection on my.Risks;

And created scopes and roles for both in the xs-security.json file:

{
  "xsappname": "cpapp",
  ...
  "scopes": [
    {
      "name": "$XSAPPNAME.RiskViewer",
      "description": "Risk Viewer"
    },
    {
      "name": "$XSAPPNAME.RiskManager",
      "description": "Risk Manager"
    }
  ],
  "role-templates": [
    {
      "name": "RiskViewer",
      "description": "Risk Viewer",
      "scope-references": [
        "$XSAPPNAME.RiskViewer"
      ],
      "attribute-references": []
    },
    {
      "name": "RiskManager",
      "description": "Risk Manager",
      "scope-references": [
        "$XSAPPNAME.RiskManager"
      ],
      "attribute-references": []
    }
  ]
}
Which annotation marks a service as secured?
×

The result of this tutorial can be found in the prepare-xsuaa branch.


Next Steps

Back to top