SAP BTP Security Automation Using Authorization REST API and SAP Cloud SDK to ma...
source link: https://blogs.sap.com/2022/12/05/sap-btp-security-automation-manage-application-authorizations-and-idp-trust-for-sap-btp-programmatically/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
SAP BTP Security Automation Using Authorization REST API and SAP Cloud SDK to manage XSUAA service instances, roles, templates, and collections ProgrammaticallySkip to Content
Technical Articles
SAP BTP Security Automation Using Authorization REST API and SAP Cloud SDK to manage XSUAA service instances, roles, templates, and collections Programmatically
Recently I have got chance to work on BTP cloud security below use-case is in a cloud application
1) Display BTP Role Collection in UI Picker :Show all role collections, roles ,which exist within the current sub account created for specific XSUAA APP Programmatically
2) Validate whether role collection exist at BTP sub account
3) Show Users :Get users to whom the role collections are assigned
To accomplish this i would like to recommend to refer
Which make the consumption of Authorization REST API easy and convenient on SAP Business Technology Platform.
- You’ll benefit from less code boilerplate and better developer experience.
- You will get typesafe client auto generated classes which avoids lot of code i.e you no need to write DTO, Request,Response ,JSON Models
- It will hide complexity in connecting to any Remote Service i.e take care of Authentication,CSRF , ETag tokens handling ,automated management of HTTP Headers and much more
You can further extend SAP BTP Security Automation Scenarios Using Authorization REST API SAP Cloud SDK: to manage Application Security artifacts & to administrate the Authorization and Trust Management service (XSUAA) of SAP BTP, Cloud Foundry environment.
You can manage service instances of the Authorization and Trust Management service. You can also manage roles, role templates, and role collections of your subaccount.
Lets start how to use BTP Authorization REST API
Screenshot : Few Role Collections available at my BTP Trail Sub Account created for Demo Cloud Application
To get these Role Collections of BTP XSUAA ,for this kind use case’s
We need to create another XSUAA instances to get security artifacts .
This one only needs to be created with service plan “apiaccess” as shown below
Then Create Service Key of other XSUAA Instance of type “apiaccess” & Use Client ID,Client Secret,Access Token URL
For Blog Simplicity ,just to test i will try to execute API’s from REST Client/Postman as shown below
Here you can also filter by XSUAA APP
Get User References for given Role Collection
May be Application Admin needs to view which are the users that have a specific application role/all scopes of user , role collections , without navigating to BTP sub-account (sub-accoubt view rights needed to view sub-account details)
If you have requirement to get users to whom the role collections are assigned this is also possible
Now If you would like to proceed Programmatically then use
@sap-cloud-sdk/openapi-generator
as explained in https://api.sap.com/api/AuthorizationAPI/cloud-sdk/JavaScript
Example :
How to use the BTP Auth “RoleCollectionsApi” to Returns all role collections, which exist within the current BTP subaccount
or you can also further filter response by using other api’s like by specified by the application ID.
or returns information about a role collection identified by the name of the role collection
const authapi = require("../src/generated/AuthorizationAPI"); const authapp = authapi.RolesApi.getRolesByAppId("xsuaa-app-id"); const request = authapi.RoleCollectionsApi; const roleCollections = request.getRoleCollections(); ... roleCollections.execute({ destinationName: 'int_subaccountname_xsuaaname' }); ....
For Classic approach you need to write lot of code i.e Making BTP Platform HTTP requests with Axios , NodejS
const axios = require('axios')
const xssec = require('@sap/xssec')
How to Get User & Permissions assigned on BTP Sub Account
If you navigate to BTP Sub-Account –> Choose Users –> Under “Security” as shown below, you can view users & associated roles assigned to user in BTP Cockpit
Below is screenshot from my BTP trail account
Rest API to Get Users & assigned Roles/Permissions on BTP Sub-Account
if you would like Get this User Details Programatically then you can use below Rest API similar to how i explained above “How to Use BTP XSUAA Authorization REST API”
May be Application Admin needs to view users that have a specific application role/all scopes, role collections assigned
To Get All Users from BTP Sub-Account
https://api.authentication.region.hana.ondemand.com/Users
You can also filter response by sending query parameters like
https://api.authentication.region.hana.ondemand.com/[email protected]
Manage User Assignment to BTP XSUAA Role Collection Programmatically
To Add users, groups Programmatically
We have BTP standard [SCIM ] API’s(https://api.sap.com/api/IdDS_SCIM/tryout)’s to Manage users, groups and custom schemas in the SAP Cloud at Custom IAS Tenant (own Identity tenant ) Services
https://api.sap.com/api/IdDS_SCIM/tryout
Thank you for reading this blog post.Hope this will be beneficial for you !
If you find this material useful, please leave your feedback in the comments section below.
Feel free to also ‘Like’ ,‘Share’ , ‘Follow’ me to get new updates.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK