Recently I have got chance to work on BTP cloud security below use-case in a cloud application
1) Display BTP Role Collection in UI Picker :Show all role collections, roles ,which exist within the current sub account created for specific XSUAA APP Programmatically
2) Validate whether role collection exist at BTP sub account
3) Show Users :Get users to whom the role collections are assigned
To accomplish this kind of use case i would like to recommend to refer below official guide.
Why SAP Cloud SDK
In general you can use axios promise-based HTTP Client to send asynchronous HTTP requests to Any REST endpoints and perform CRUD operations.With this Classic approach you need to write lot of code i.e Making BTP Platform HTTP requests with Axios , NodejS
const axios = require('axios')
const xssec = require('@sap/xssec')
But if you use SAP Cloud SDK then consumption of any Open API, OData API, REST API is easy like BTP Platform API (Exmple : Workflow API’s , Auth API, SCIM API… ) , S/4 HANA API’s, … etc i.e it makes your life easier
Advantages of SAP Cloud SDK
- You’ll benefit from less code boilerplate and better developer experience.
- You will get typesafe client auto generated classes which avoids lot of code i.e you no need to write DTO, Request,Response ,JSON Models.
- It will hide complexity in connecting to any Remote Service i.e take care of Authentication,CSRF , ETag tokens handling ,automated management of HTTP Headers and much more.You can read more about SAP Cloud SDK in below blog post
https://blogs.sap.com/2017/05/10/first-steps-with-sap-s4hana-cloud-sdk/
In this BlogPost i am using Authorization REST API
You can further extend SAP BTP Security Automation Scenarios Using Authorization REST API SAP Cloud SDK: to manage Application Security artifacts & to administrate the Authorization and Trust Management service (XSUAA) of SAP BTP, Cloud Foundry environment.
You can manage service instances of the Authorization and Trust Management service. You can also manage roles, role templates, and role collections of your subaccount.
First , Lets understand how to Use BTP Authorization REST API
Screenshot : Few Role Collections available at my BTP Trail Sub Account created for Demo Cloud Application
BTP Setup
To get BTP Role Collections of BTP XSUAA ,for this kind use case’s.
- First ,we need to create another XSUAA instances to get security artifacts as shown below This one only needs to be created with service plan “apiaccess” as shown below.
- Then Create Service Key of other XSUAA Instance of type “apiaccess” & Use Client ID,Client Secret,Access Token URL
Scenario1 : Get Role Collections from BTP Sub Account
For Blog Simplicity ,just to test i will try to execute API’s from REST Client/Postman as shown below.
BTP Auth “RoleCollectionsApi” to Returns all role collections, which exist within the current BTP subaccount as shown in above screenshot.
Here you can also further filter by XSUAA APP. Please refer Authorization REST API
Scenario 2: Get User References for given Role Collection
May be Application Admin needs to view which are the users that have a specific application role/all scopes of user , role collections , without navigating to BTP sub-account (sub-accoubt view rights needed to view sub-account details).
If you have requirement to get users to whom the role collections are assigned this is also possible.
Installation Instruction’s : Usage of SAP Cloud SDK
Now If you would like to proceed programmatically then use @sap-cloud-sdk/openapi-generator dependency . Installation Instruction’s are explained in below official guide https://api.sap.com/api/AuthorizationAPI/cloud-sdk/JavaScript
Refer Installation https://sap.github.io/cloud-sdk/docs/js/features/openapi/generate-client
Once setup completed you can refer Example Source Code.
BTP Auth “RoleCollectionsApi” to returns all role collections, which exist within the current BTP sub account or you can also further filter response by using other api’s like by specific application ID or returns information about a role collection identified by the name of the role collection
const authapi = require("../src/generated/AuthorizationAPI"); const authapp = authapi.RolesApi.getRolesByAppId("xsuaa-app-id"); const request = authapi.RoleCollectionsApi; const roleCollections = request.getRoleCollections(); ... roleCollections.execute({ destinationName: 'int_subaccountname_xsuaaname' }); ....
Scenario 3: How to Get User & Permissions assigned on BTP Sub Account
If you navigate to BTP Sub-Account –> Choose Users –> Under “Security” as shown below, you can view users & associated roles assigned to user in BTP Cockpit.
Below is screenshot from my BTP trail account
Rest API to Get Users & assigned Roles/Permissions on BTP Sub-Account
if you would like Get this user details programatically then you can use below Rest API similar to how i explained above “How to Use BTP XSUAA Authorization REST API” .
May be Application admin needs to view users that have a specific application role/all scopes, role collections assigned.
For example to Get all users from BTP Sub-Account, you can try below API
https://api.authentication.region.hana.ondemand.com/Users
You can also filter response by sending query parameters like userName, emails.. etc
https://api.authentication.region.hana.ondemand.com/Users?userName=john.doe@sap.com
Scenario 4: Manage User Assignment to BTP XSUAA Role Collection Programmatically
To Add users, groups Programmatically,we have BTP standard [SCIM ] API’s(https://api.sap.com/api/IdDS_SCIM/tryout)’s to Manage users, groups and custom schemas in the SAP Cloud at Custom IAS Tenant (own Identity tenant ) Services
https://api.sap.com/api/IdDS_SCIM/tryout
Thank you for reading! If you enjoyed this post, please consider giving it a ‘‘Like’ ,‘Share’ it with your friends and followers, and ‘Follow’ me for more content like this. Your support means a lot to me!
