I'm using the SAP S/4HANA Cloud SDK (S4SDK) in conjunction with the Cloud Application Programming Model (CAPM). I have workflow and Fiori artifacts in Neo that consume the S4SDK service running in Cloud Foundry (CF). The S4SDK service is then calling S/4HANA (Public) Cloud using a system user. I have set up Principle Propagation from Neo to CF as per the following link:
Principal Propagation from the Neo to the Cloud Foundry Environment
I've been developing my project for a couple of months now. Now the time has come to set up role based access to my OData services. I need to ensure that I have back-end validation to check that only approvers can set the status of my request to 'Approved', for example.
I plan to do this by declaring multiple OData services in the my-service.cds file. Then using spring-security I will only give those with the approvers role-collection access to the approvers service.
I'm following this blog:
Step 7 with SAP S/4HANA Cloud SDK: Secure your Application on SAP Cloud Platform, CloudFoundry
My xs-security.json looks like this:
{
"xsappname": "s4projectcreate",
"tenant-mode": "dedicated",
"description": "Security profile of called application",
"scopes": [
{
"name": "uaa.user",
"description": "UAA"
},
{
"name": "$XSAPPNAME.AdminApprove",
"description": "UAA"
},
{
"name": "$XSAPPNAME.RiskApprove",
"description": "UAA"
}
],
"role-templates": [
{
"name": "Token_Exchange",
"description": "UAA",
"scope-references": [
"uaa.user"
]
},
{
"name": "Admin_Approver",
"description": "Request Admin Approver",
"scope-references": [
"$XSAPPNAME.AdminApprove"
]
},
{
"name": "Risk_Approver",
"description": "Request Risk Approver",
"scope-references": [
"$XSAPPNAME.RiskApprove"
]
}
]
}
I made the following entries in my spring-security.xml (otherwise as per the blog):
<sec:intercept-url pattern="/odata/v2/ProjCreateApprover/**" access="#oauth2.hasScope('${xs.appname}.AdminApprove')" method="GET" />
<sec:intercept-url pattern="/odata/v2/**" access="isAuthenticated()" method="GET" />
When I go to the CF cockpit (org. level) and navigate to the Security/Roles section I can create a new role collection and add the two role templates to it.
I then navigate to the Trust Configuration where I see both the SCIA (a.k.a. SAP Cloud Identity) and 'Neo' sections. The latter I configured when I set up the principle propagation from Neo to CF. I can go into either account and enter my user email address. Then I can assign my role collection to the user (me).
The problem is, whatever I do here doesn't seem to enable me to pass the new security check. I always get the following message when I try to access the protected path: Access is deniedaccess_denied
How should I be assigning this role? Do I use the email address, because that is normally the ID in CF? Should I be doing something at the space or even app level? Do I need to rebind the XSUAA service or something?
I'm testing in the browser. If I don't already have a session it is getting me to log in. The unprotected service still works fine.
APPENDUM: Here is the JWT payload. It looks like I do have the scopes from the role:
{
"jti": "aa4f13c4c456429ab7d7f**218b1ef86",
"ext_attr": {
"enhancer": "XSUAA",
"zdn": "test**n"
},
"given_name": "P0000**",
"xs.user.attributes": {},
"family_name": "unknown.org",
"sub": "123526eb-fda8-49cf-a507-506**d28efba",
"scope": [
"s4projectcreate!t23.AdminApprove",
"openid",
"s4projectcreate!t23.RiskApprove",
"uaa.user"
],
"client_id": "sb-s4projectcreate!t23",
"cid": "sb-s4projectcreate!t23",
"azp": "sb-s4projectcreate!t23",
"grant_type": "urn:ietf:params:oauth:grant-type:saml2-bearer",
"user_id": "1235**eb-fda8-49cf-a507-506b8d28efba",
"origin": "httpsap1.hana.ondemand.comc3d8**a55",
"user_name": "p0000**",
"email": "P0000**@unknown.org",
"rev_sig": "8f**7376",
"iat": 1552347533,
"exp": 1552390733,
"iss": "http://test**n.localhost:8080/uaa/oauth/token",
"zid": "382217ca-6332-4b03-85ee-8f**85fd903a",
"aud": []
}
go to the sap cloud platform, inside your subaccount u will get trust management just enable it . u will see your role-reference overthere , by doing this u will be authorize to access the service.